Professional Documents
Culture Documents
Copyright Statement
Ruijie Networks©2019
Ruijie Networks reserves all copyrights of this document. Any reproduction, excerption, backup, modification,
transmission, translation or commercial use of this document or any portion of this document, in any form or by any means,
without the prior written consent of Ruijie Networks is prohibited.
Exemption Statement
This document is provided “as is”. The contents of this document are subject to change without any notice. Please obtain
the latest information through the Ruijie Networks website. Ruijie Networks endeavors to ensure content accuracy and will
not shoulder any responsibility for losses and damages caused due to content omissions, inaccuracies or errors.
·
Preface
Thank you for using our products. This manual matches the RGOS Release 11.4(1)B42P17.
Audience
Network engineers
Network administrators
Community: https://community.ruijienetworks.com
Skype: service_rj@ruijienetworks.com
Related Documents
Documents Description
Describes the functional and physical features and provides the device
Hardware Installation and Reference
installation steps, hardware troubleshooting, module technical specifications,
Guide
and specifications and usage guidelines for cables and connectors.
Conventions
Convention Description
italic font Arguments for which you supply values are in italics.
Symbols
Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of
data.
System Configuration
1. Configuring CLI
3. Configuring Lines
6. Configuring Syslog
7. Configuring CWMP
8. Configuring MONITOR
9. Configuring ZAM
1 Configuring CLI
1.1 Overview
The command line interface (CLI) is a window used for text command interaction between users and network devices. You
can enter commands in the CLI window to configure and manage network devices.
N/A
1.2 Applications
Application Description
Configuring and Managing Network You can enter commands in the CLI window to configure and manage network
Devices Through CLI devices
As shown in Figure 1-1, a user accesses network device A using a PC, and enter commands in the CLI window to configure
and manage the network device.
Figure 1-1
Deployment
As shown in Figure 1-2, the user uses the Secure CRT installed on a PC to set up a connection with network device A, and
opens the CLI window to enter configuration commands.
1-1
Configuration Guide Configuring CLI
Figure 1-2
1.3 Features
Overview
Feature Description
Accessing CLI You can log in to a network device for configuration and management.
Command Modes The CLI provides several command modes. Commands that can be used vary according to
command modes.
System Help You can obtain the help information of the system during CLI configuration.
Abbreviated Commands If the entered string is sufficient to identify a unique command, you do not need to enter the
full string of the command.
No and Default Options of You can use the no option of a command to disable a function or perform the operation
Commands opposite to the command, or use the default option of the command to restore default
settings.
Prompts Indicating Incorrect An error prompt will be displayed if an incorrect command is entered.
Commands
History Commands You can use short-cut keys to display or call history commands.
Featured Editing The system provides short-cut keys for editing commands.
Searching and Filtering of the You can run the show command to search or filter specified commands.
Show Command Output
Command Alias You can configure alias of a command to replace the command.
1-2
Configuration Guide Configuring CLI
As soon as a new session is set up with the network device management interface, you enter User EXEC mode. In this mode,
you can use only a small number of commands and the command functions are limited, such as the show commands.
Execution results of commands in User EXEC mode are not saved.
To use more commands, you must first enter Privileged EXEC mode. Generally, you must enter a password to enter
Privileged EXEC mode. In Privileged EXEC mode, you can use all commands registered in this command mode, and further
enter global configuration mode.
Using commands of a certain configuration mode (such as global configuration mode and interface configuration mode) will
affect configuration in use. If you save the configuration, these commands will be saved and executed next time the system is
restarted. You must enter global configuration mode before entering another configuration mode, such as interface
configuration mode.
The following table summarizes the command modes by assuming that the name of the network device is “Ruijie”.
1-3
Configuration Guide Configuring CLI
1. At the command prompt in any mode, enter a question mark (?) to list the commands supported by the current
command mode and related command description.
For example
Ruijie>?
Exec commands:
1-4
Configuration Guide Configuring CLI
2. Enter a space and a question mark (?) after a keyword of a command to list the next keyword or variable associated
with the keyword.
For example
Ruijie(config)#interface ?
If the keyword is followed by a parameter value, the value range and description of this parameter are displayed as
follows:
Ruijie(config)#interface vlan ?
3. Enter a question mark (?) after an incomplete string of a command keyword to list all command keywords starting with
the string.
For example
1-5
Configuration Guide Configuring CLI
Ruijie#d?
4. After an incomplete command keyword is entered, if the suffix of this keyword is unique, press the Tab key to display
the complete keyword.
For example
5. In any command mode, run the help command to obtain brief description about the help system.
For example
Ruijie(config)#help
be empty and you must backup until entering a '?' shows the
available options.
argument.
For example, to run the interface gigabitEthernet 0/1 command in GigabitEthernet 0/1 interface configuration mode, enter
the abbreviated command as follows:
Ruijie(config)#int g0/1
Ruijie(config-if-GigabitEthernet 0/1)#
1-6
Configuration Guide Configuring CLI
Most configuration commands have the default option. The default option is used to restore default settings of the command.
Default values of most commands are used to disable related functions. Therefore, the function of the default option is the
same as that of the no option in most cases. For some commands, however, the default values are used to enable related
functions. In this case, the function of the default option is opposite to that of the no option. At this time, the default option is
used to enable the related function and set the variables to default values.
For specific function of the no or default option of each command, see the command reference.
Operation Result
Display the previous command in the history command list. Starting from the latest record, you can
Ctrl+P or the UP key
repeatedly perform this operation to query earlier records.
After pressing Ctrl+N or the DOWN key, you can return to a command that is recently executed in
Ctrl+N or the DOWN
the history command list. You can repeatedly perform this operation to query recently executed
key
commands.
The standard terminals, such as the VT100 series, support the direction keys.
1-7
Configuration Guide Configuring CLI
When the editing cursor is close to the right boundary, the entire command line will move to the left by 20 characters, and the
hidden front part is replaced by the dollar ($) signs. You can use the related keys or short-cut keys to move the cursor to the
characters in the front or return to the head of the command line.
For example, the whole access-list may exceed the screen width. When the cursor is close to the end of the command line
for the first time, the entire command line moves to the left by 20 characters, and the hidden front part is replaced by the
dollar signs ($). Each time the cursor is close to the right boundary, the entire command line moves to the left by 20
characters.
Press Ctrl+A to return to the head of the command line. At this time, the hidden tail part of the command line is replaced by
the dollar signs ($).
Command Description
Searches specified contents from the output of the show
show any-command | begin regular-expression command. The first line containing the contents and all
information that follows this line will be output.
To filter specified contents from the output of the show command, run the following commands:
1-8
Configuration Guide Configuring CLI
Command Description
Filters the output of the show command. Except those
show any-command | exclude regular-expression
containing the specified contents, all lines will be output.
Filters the output of the show command. Only the lines
show any-command | include regular-expression
containing the specified contents will be output.
To search or filter the output of the show command, you must enter a vertical line (|). After the vertical line, select the
searching or filtering rules and contents (character or string). Searched and filtered contents are case sensitive.
interface Mgmt 0
Configuration Effect
For example, configure "mygateway" as the alias of the ip route 0.0.0.0 0.0.0.0192.1.1.1 command. To run this command,
you only need to enter "mygateway".
2. Replace the front part of a command with a word, and enter the later part.
For example, configure "ia" as the alias of the ip address command. To run this command, you need to enter "ia" and then
the specified IP address and subnet mask.
Configuration Steps
In User EXEC or Privileged EXEC mode, default alias are available for some commands. You can run the show aliases
command to display these default aliases.
Ruijie(config)#show aliases
1-9
Configuration Guide Configuring CLI
h help
p ping
s show
u undebug
un undebug
Run the show aliases command to display alias settings in the system.
Notes
The command replaced by an alias must start from the first character of the command line.
The entire alias must be entered when the alias is used; otherwise, the alias cannot be identified.
Configuration Example
Configuration In global configuration mode, configure the alias "ir" to represent the default route configuration command ip
Steps route 0.0.0.0 0.0.0.0 192.168.1.1.
Ruijie#configure terminal
Verification Run the show alias command to check whether the alias is configured successfully.
Ruijie(config)#show alias
h help
p ping
1-10
Configuration Guide Configuring CLI
s show
u undebug
un undebug
Use the configured alias to run the command, and run the show running-config command to check
whether the alias is configured successfully.
Ruijie(config)#ir
Ruijie(config)#show running-config
Building configuration…
ip route 0.0.0.0 0.0.0.0 192.168.1.1 //Configuration result after the alias "ir" is entered
Configuration In global configuration mode, configure the alias "ir" to represent the front part "ip route" of the default route
Steps configuration command.
Ruijie#configure terminal
Verification Run the show alias command to check whether the alias is configured successfully.
Ruijie(config)#show alias
h help
p ping
s show
u undebug
un undebug
1-11
Configuration Guide Configuring CLI
ir ip route
Enter the alias "ir" and then the later part of the command "0.0.0.0 0.0.0.0 192.168.1.1".
Run the show ap-config running command to check whether the configuration is successful.
Ruijie(config)#show running
Building configuration…
ip route 0.0.0.0 0.0.0.0 192.168.1.1 //Configuration result after the alias "ir" and the later part
of the command are entered
System Help
1. The system provides help information for command alias. An asterisk (*) will be displayed in front of an alias. The format
is as follows:
*command-alias=original-command
For example, in Privileged EXEC mode, the default command alias "s" represents the show keyword. If you enter "s?", the
keywords starting by "s" and alias information are displayed.
Ruijie#s?
2. If the command represented by an alias contains more than one word, the command is displayed in a pair of quotation
marks.
For example, in Privileged EXEC mode, configure the alias "sv" to replace the show version command. If you enter "s?", the
keywords starting by "s" and alias information are displayed.
Ruijie#s?
start-terminal-service
3. You can use the alias to obtain help information about the command represented by the alias.
For example, configure the alias "ia" to represent the ip address command in interface configuration mode. If you enter "ia?"
in interface configuration mode, the help information on "ip address?" is displayed, and the alias is replaced by the command.
Ruijie(config-if)#ia ?
1-12
Configuration Guide Configuring CLI
A.B.C.D IP address
Ruijie(config-if)#ip address
If you enter a space in front of a command, the command represented by this alias will not be displayed.
1-13
Configuration Guide Configuring Basic Management
2.1 Overview
This document is a getting started guide to network device management. It describes how to manage, monitor, and maintain
network devices.
2.2 Applications
Application Description
Network Device Management A user logs in to a network device from a terminal and runs commands on a command
line interface (CLI) to manage device configurations.
Network device management described in this document is performed through the CLI. A user logs in to Network Device A
from a terminal and runs commands on the CLI to manage device configurations. See Figure 2-1.
Figure 2-1
2-1
Configuration Guide Configuring Basic Management
2.3 Features
Basic Concepts
TFTP
Trivial File Transfer Protocol (TFTP) is a TCP/IP protocol which allows a client to transfer a file to a server or get a file from a
server.
AAA
Authentication refers to the verification of user identities and the related network services.
Authorization refers to the granting of network services to users according to authentication results.
Accounting refers to the tracking of network service consumption by users. A billing system charges users based on
consumption records.
RADIUS
Remote Authentication Dial In User Service (RADIUS) is the most widely used AAA protocol at present.
Telnet
Telnet is a terminal emulation protocol in the TCP/IP protocol stack which provides access to a remote host through a virtual
terminal connection. It is a standard protocol located at Layer 7 (application layer) of the Open System Interconnection (OSI)
model and used on the internet for remote login. Telnet sets up a connection between the local PC and a remote host.
System Information
System information includes the system description, power-on time, hardware and software versions, control-layer software
version, and boot-layer software version.
Hardware Information
Hardware information includes the physical device information as well as slot and module information. The device
information includes the device description and slot quantity. The slot information includes the slot ID, module description
(which is empty if a slot does not have a module), and actual and maximum number of physical ports.
Overview
Feature Description
User Access Control Controls the terminal access to network devices on the internet based on passwords and privileges.
Login Authentication Performs username-password authentication to grant access to network devices when AAA is
Control enabled. (Authentication is performed by a dedicated server.)
2-2
Configuration Guide Configuring Basic Management
Basic System Refer to the parameters of a system, such as the clock, banner, and Console baud rate.
Parameters
Displaying Displays the system configurations, including the configurations that the system is currently running
Configurations and the device configurations stored in the nonvolatile random access memory (NVRAM).
Multiple-configuration Allows users to modify the path for saving startup configurations of the device and the corresponding
Booting file name.
Zero Configuration Allows automatic service delivery and configuration maintenance for remote devices after device
power-on, without requiring manual operation of network administrators.
Telnet Telnet is an application-layer protocol in the TCP/IP protocol stack. It provides the standard governing
remote login and virtual terminal communication on the internet.
Restart Introduces system restart.
Runs the commands in batches.
Running Batch File
Commands
Working Principle
Privilege Level
16 privilege levels are defined ranging from 0 to 15 for CLI on network devices to grant users access to different commands.
Level 0 is the lowest level granting access to just a few commands, whereas level 15 is the highest level granting access to
all commands. Levels 0 and 1 are common user levels without the device configuration permission (users are not allowed to
enter global configuration mode by default). Levels 2–15 are privileged user levels with the device configuration permission.
Password Classification
Passwords are classified into two types: password and security. The first type refers to simple encrypted passwords at level
15. The second type refers to secure encrypted passwords at levels 0–15. If a level is configured with both simple and secure
encrypted passwords, the simple encrypted password will not take effect. If you configure a non-15 level simple encrypted
password, a warning is displayed and the password is automatically converted into a secure encrypted password. If you
configure the same simple encrypted password and secure encrypted password at level 15, a warning is displayed.
Password Protection
Each privilege level on a network device has a password. An increase in privilege level requires the input of the target level
password, whereas a reduction in privilege level does not require password input.
By default, only two privilege levels are password-protected, namely, level 1 (common user level) and level 15 (privileged
user level). Sixteen privilege levels with password protection can be assigned to the commands in each mode to grant
access to different commands.
2-3
Configuration Guide Configuring Basic Management
If no password is configured for a privileged user level, access to this level does not require password input. It is
recommended that a password be configured for security purposes.
Command Authorization
Each command has its lowest execution level. A user with a privilege level lower than this level is not allowed to run the
command. After the command is assigned a privilege level, users at this level and higher have access to the command.
Related Configuration
A secure encrypted password is used to control the switching between user levels. It has the same function as a simple
encrypted password but uses an enhanced password encryption algorithm. Therefore, secure encrypted passwords are
recommended out of security consideration.
A command at a lower level is accessible by more users than a command at a higher level.
Run the enable command or the disable command to raise or lower a user privilege level respectively.
After logging in to a network device, the user can change his/her level to obtain access to commands at different
privilege levels.
Line password protection is required for remote login (such as login through Telnet).
Run the password[ 0 | 7 ] line command to configure a line password, and then run the login command to enable
password protection.
2-4
Configuration Guide Configuring Basic Management
In AAA, the username and password entered by a user are authenticated by a server. If authentication is successful, the user
can access the network device and enjoy certain management permissions.
For example, a RADIUS server can be used to authenticate usernames and passwords and control users' management
permissions on network devices. Network devices no longer store users' passwords, but send encrypted user information to
the RADIUS server, including usernames, passwords, shared passwords, and access policies. This provides a convenient
way to manage and control user access and improve user information security.
Working Principle
Line Password
If AAA is disabled, you can configure a line password used to verify user identities during login. After AAA is enabled, line
password verification does not take effect.
Local Authentication
If AAA is disabled, you can configure local authentication to verify user identities and control management permissions by
using the local user database. After AAA is enabled, local authentication does not take effect.
AAA
AAA provides three independent security functions, namely, Authentication, Authorization and Accounting. A server (or the
local user database) is used to perform authentication based on the configured login authentication method list and control
users' management permissions. For details about AAA, see Configuring AAA.
Related Configuration
Run the username command to configure the account used for local identity authentication and authorization, including
usernames, passwords, and optional authorization information.
Run the login local command (in the case that AAA is disabled).
Run the login authentication command to configure a login authentication method list for a line.
2-5
Configuration Guide Configuring Basic Management
Run the exec-timeout command to change the default connection timeout time. An established connection will be
closed if no output is detected during the timeout time.
Perform this configuration when you need to increase or reduce the connection timeout time.
Run the session-timeout command to change the default session timeout time.
The session established to a remote host through a line will be disconnected if no output is detected during the timeout
time. Then the remote host is restored to Idle. Perform this configuration when you need to increase or reduce the
session timeout time.
Locking a Session
Run the lockable command to lock the terminals connected to the current line.
To lock a session, first enable terminal lock in line configuration mode, and then run the lock command in terminal
EXEC mode to lock the terminal.
The network device system clock records the time of events on the device. For example, the time shown in system logs is
obtained from the system clock. Time is recorded in the format of year-month-day, hour:minute:second, day of the week.
When you use a network device for the first time, set its system clock to the current date and time manually.
You can configure a system name to identify a network device. The default system name is Ruijie. A name with more than
32 characters will be truncated to keep only the first 32 characters. The command prompt keeps consistent with the system
name.
Banner
A banner is used to display login prompt information. There are two types of banner: Daily notification and login banner.
Daily notification is displayed on all terminals connected to network devices soon after login. Urgent messages (such as
immediate system shutdown) can be delivered to users through daily notification.
2-6
Configuration Guide Configuring Basic Management
You can manage network device through a Console port The first configuration on the network device must be performed
through the Console port. The serial port baud rate can be changed based on actual requirements. Note that the
management terminal must have consistent baud rate setting with the device console.
The connection timeout time is used to control device connections (including established connections and sessions
established to remote hosts). A connection will be closed when no input is detected during the timeout time.
Related Configuration
Run the clock set command to configure the system time of a network device manually. The device clock starts from
the configured time and keeps running even when the device is powered off.
If the hardware clock and software clock are not synchronized, run the clock update-calendar command to copy the
date and time of the software clock to the hardware clock.
Daily notification is displayed on all terminals connected to network devices soon after login. Urgent messages (such as
immediate system shutdown) can be delivered to users through daily notification.
Run the banner login command to configure a login banner to display login information.
2-7
Configuration Guide Configuring Basic Management
Working Principle
Running Configurations
Running configurations, namely, running-config, are the configurations that individual component modules run in real time. A
request can be made to all running components to collect configurations, which will be orchestrated before being displayed to
users. Only running components may provide real-time configurations, whereas unloaded components do not display
configurations. In the case that the system is started, and a component process is restarted, the configurations collected
during this period may be inaccurate due to the component unstable state. For example, the configurations of a component
may not be missing initially but can be displayed later.
Startup Configurations
The configurations stored in the NVRAM, namely, startup-config, are the configurations executed during device startup.
When the system is restarted, startup-config is loaded to become new running-config. To display permanent configurations,
the system needs to read the startup-config file in the NVRAM.
The startup-config file copied from external environment to the device only supports UTF-8(no BOM) format.
Related Configuration
Run the show running-config [ interface interface ] command to display the configurations that the system is currently
running or the configurations on an interface.
Run the write or copy running-config startup-config command to store the current running configurations as new startup
configurations.
2-8
Configuration Guide Configuring Basic Management
Working Principle
By default, the startup configuration file of a device is saved in Flash:/config.text and named config.text. Use this
command to modify the path for saving startup configurations of the device and the corresponding file name.
The startup configuration file name follows a slash ''/'', for example, Flash:/ruijie.text and Usb0:/ruijie.text.
The startup configuration file name consists of a path and a file name. The path is mandatory. Otherwise,
configurations cannot be saved by using the write command. Take Flash:/ruijie/ruijie.text and
Usb0:/ruijie/ruijie.text as examples, where the Flash:/ruijie and Usb0:/ruijie folders must exist. In master-slave
mode, all device paths are required.
To save the startup configuration file to a USB flash drive, the device must provide a USB interface with a USB
flash drive inserted. Otherwise, configurations cannot be saved by using the write command. In master-slave
mode, all devices must have USB flash drives connected.
Related Configuration
Modifying the Path for Saving Startup Configurations and the Corresponding File Name
Run the boot config { flash:filename | usb0:filename } command to modify the path for saving startup configurations and
the corresponding file name.
Displaying the Path for Saving Startup Configurations and the Corresponding File Name
Run the show boot config command to display the path for saving startup configurations and the corresponding file name.
Working Principle
The zero configuration function involves the following process: A device with default configurations is powered on, obtains a
device management address from the DHCP server of the ACS, and sends the SNMP INFORM message to the ACS; after
receiving the SNMP INFORM message, the ACS delivers startup configurations of the device, and immediately validates the
configurations.
With the zero configuration function, DHCP Snooping Trust is enabled only on the last two electrical ports and all
SFP ports of the device by default, regardless of whether the device supports the MGMT port.
Enabling and disabling the zero configuration function will delete the startup configuration file of the device and
trigger device restart.
2-9
Configuration Guide Configuring Basic Management
Related Configuration
Run the zcm { enable | disable } command to enable or disable the zero configuration function.
2.3.7 Telnet
Working Principle
Telnet is an application-layer protocol in the TCP/IP protocol stack. It provides the standard governing remote login and
virtual terminal communication on the internet.
The Telnet Client service allows a local or remote user who has logged in to a network device to use its Telnet Client program
to access other remote system resources on the internet. In Figure 2-2, a user with a PC connects to Network Device A by
using the terminal emulation or Telnet program and then logs in to Network Device B by using the telnet command to
perform configuration management.
Ruijie Telnet program supports the use of IPv4 and IPv6 addresses. A Telnet server accepts Telnet connection requests that
carry IPv4 and IPv6 addresses. A Telnet client can send connection requests to hosts identified by IPv4 and IPv6 addresses.
Figure 2-2
Related Configuration
2-10
Configuration Guide Configuring Basic Management
2.3.8 Restart
The timed restart feature makes user operation easier in some scenarios (such as tests).
If you configure a time interval, the system will restart after the interval. The interval is in the format of mmm or hhh:mm,
in the unit of minutes. You can specify the interval name to reflect the restart purpose.
If you define a future time, the system will restart when the time is reached.
The clock feature must be supported by the system if you want to use the at option. It is recommended that you
configure the system clock in advance. A new restart plan will overwrite the existing one. A restart plan will be invalid if
the system is restarted before the plan takes effect.
The span between the restart time and current time must not exceed 31 days, and the restart time must be later than
the current system time. After you configure a restart plan, do not to change the system clock; otherwise, the plan may
fail (for example, the system time is changed to a time after the restart time.)
Related Configuration
Configuring Restart
Perform this configuration when you need to restart a device at a specific time.
You can specify the name and content of the batch file on your PC and transfer the file to the device flash memory
through TFTP. The batch processing content simulates user input. Therefore, you need to edit the batch file content
according to the CLI command configuration sequence. In addition, you need to write the responses to interactive
commands to the batch file to ensure normal command execution.
The batch file size must not exceed 128 KB; otherwise, it will fail to be executed. You can divide a large batch file into
multiple parts not larger than 128 KB each.
Related Configuration
Batch-Running Commands
2-11
Configuration Guide Configuring Basic Management
2.4 Configuration
Enabling and Disabling a (Optional) It is used to enable and disable a specific service.
2-12
Configuration Guide Configuring Basic Management
Assign a privilege level to a command to grant the command access to only the users at or higher than the level.
Lower the command privilege level to grant more users access to the command.
Raise the command privilege level to limit the command access to a few users.
Notes
You can use the password configuration command with the level option to configure a password for a specific privilege
level. After you specify the level and the password, the password works for the users who need to access this level.
By default, no password is configured for any level. The default level is 15.
If you configure a simple encrypted password with a non-15 level, a warning is displayed and the password is
automatically converted into a secure encrypted password.
The system chooses the secure encrypted password over the simple encrypted password if both of them are
configured.
Configuration Steps
(Optional) Perform this configuration when you need to establish simple encrypted password verification when users
switch between different privilege levels.
2-13
Configuration Guide Configuring Basic Management
(Optional) Perform this configuration when you need to establish secure encrypted password verification when users
switch between different privilege levels.
A secure encrypted password has the same function as a simple encrypted password but uses an enhanced password
encryption algorithm. Therefore, secure encrypted passwords are recommended out of security consideration.
Optional.
A command at a lower level is accessible by more users than a command at a higher level.
After logging in to a network device, the user can change his/her level to obtain access to commands at different
privilege levels.
Run the enable command or the disable command to raise or lower a user privilege level respectively.
(Optional) Line password protection is required for remote login (such as login through Telnet).
Run the password [ 0 | 7 ] line command to configure a line password, and then run the login command to enable login
authentication.
If a line password is configured but login authentication is not configured, the system does not display password
prompt.
Verification
Run the show privilege command to display the current user level.
Related Commands
2-14
Configuration Guide Configuring Basic Management
Leading spaces are allowed, but will be ignored. However, intermediate and trailing spaces are
recognized.
If you specify an encryption type and enter a password in plaintext, you cannot re-enter privileged
EXEC mode. An encrypted password cannot be retrieved once lost. You have to configure a new
password.
2-15
Configuration Guide Configuring Basic Management
Use this command to exit Privileged EXEC mode and return to user EXEC mode. If privilege-level is
specified, the current privilege level is reduced to the specified level.
Command login
Parameter N/A
Description
Command Line configuration mode
Mode
Usage Guide N/A
Configuration Example
Scenario Assign privilege level 1 to the reload command and its subcommands and configure level 1 as the valid
level (by configuring the test password).
2-16
Configuration Guide Configuring Basic Management
Configuration Assign privilege level 1 to the reload command and its subcommands.
Steps
Ruijie(config)# end
Verification Check whether the reload command and its subcommands are accessible at level 1.
Ruijie# disable 1
Ruijie> reload ?
at reload at<cr>
Disconnect an established session connecting to a remote host and restore the host to Idle if no output is detected
during the timeout time.
Lock a terminal to deny access. When a user enters any character on the locked terminal, the password prompt is
displayed. The terminal will be automatically unlocked if the entered password is correct.
Configuration Steps
Mandatory.
Run the username command to configure the account used for local identity authentication and authorization, including
usernames, passwords, and optional authorization information.
Mandatory.
Configure local authentication for line-based login in the case that AAA is disabled.
2-17
Configuration Guide Configuring Basic Management
(Optional) Perform this configuration to configure AAA authentication for line-based login.
Configure AAA authentication for line-based login in the case that AAA is enabled.
Optional.
Run the login access non-aaa command in global configuration mode to authenticate line-based login in non-AAA
mode in the case that AAA is enabled.
(Optional) Perform this configuration to close the suspended connection on a Telnet client.
Optional.
Enable the Telnet Server service when you need to enable Telnet login.
Optional.
An established connection will be closed if no output is detected during the timeout time.
Perform this configuration when you need to increase or reduce the connection timeout time.
Optional.
The session connecting to a remote host will be disconnected and the host be restored to Idle if no output is detected
during the timeout time.
Perform this configuration when you need to increase or reduce the session timeout time.
Locking a Session
2-18
Configuration Guide Configuring Basic Management
(Optional) Perform this configuration when you need to temporarily exit a session on a device.
To lock a session, first enable terminal lock in line configuration mode, and then run the lock command to lock the
terminal.
Verification
In the case that AAA is disabled, after local user information and line-based local authentication are configured, check
whether users are prompted for username and password input for access to the CLI.
In the case that AAA is enabled, after local user information and local AAA authentication are configured, check
whether users are prompted for username and password input for access to the CLI.
Run the show user command to display the information about the users who have logged in to the CLI.
Telnet clients can connect to devices enabled with the Telnet Server service.
When a user presses Enter on a locked CLI, the user is prompted for password input. The session is unlocked only
when the entered password is the same as the configured one.
Run the show sessions command to display every established Telnet client instance.
Related Commands
Command username name [ login mode { aux | console | ssh | telnet } ] [ online amount number ] [ permission
oper-mode path ] [ privilege privilege-level ] [ reject remote-login ] [ web-auth ] [ pwd-modify ]
[ nopassword | password [ 0 | 7 ] text-string | secret [ 0 | 5 ] text-string
Parameter name: Indicates a user name.
Description login mode: Indicates the login mode.
aux: Sets the login mode to AUX.
console: Sets the login mode to Console.
ssh: Sets the login mode to SSH.
telnet: Sets the login mode to Telnet.
online amount number: Indicates the maximum number of online accounts.
permission oper-mode path: Configures the file operation permission. op-mode indicates the operation
mode, and path indicates the directory or path of a specific file.
privilege privilege-level: Indicates the account privilege level, ranging from 0 to 15.
reject remote-login: Rejects remote login by using the account.
web-auth: Allows only Web authentication for the account.
pwd-modify: Allows the account owner to change the password. This option is available only when
web-auth is configured.
nopassword: Indicates that no password is configured for the account.
password [ 0 | 7 ] text-string: Indicates the password configured for the account. 0 indicates that the
password is input in plaintext, and 7 indicates that the password is input in cyphertext. The default is
2-19
Configuration Guide Configuring Basic Management
plaintext.
secret [ 0 | 5 ] text-string: Indicates the password configured for the account. 0 indicates that the password is
input in plaintext, and 5 indicates that the password is input in cyphertext. The default is plaintext.
Command Global configuration mode
Mode
Usage Guide Use this command to create a local user database to be used by authentication.
If the value 7 is selected for the encryption type, the entered cyphertext string must consist of an even
number of characters.
This setting is applicable to the scenario where encrypted passwords may be copied and pasted. In other
cases, the value 7 is not selected.
Command telnet [ oob ] host [ port ] [ /source { ip A.B.C.D | ipv6 X:X:X:X::X | interface interface-name } ] [ /vrf
2-20
Configuration Guide Configuring Basic Management
vrf-name ]
Parameter oob: Remotely connects to a Telnet server through out-of-band communication (by using a management
Description port). This option is available only when the device has a management port.
host: Indicates the IPv4 address, IPv6 address, or host name of the Telnet server.
port: Indicates the TCP port number of the Telnet server. The default value is 23.
/source: Indicates the source IP address or source port used by a Telnet client.
ip A.B.C.D: Indicates the source IPv4 address used by the Telnet client.
ipv6 X:X:X:X::X: Indicates the source IPv6 address used by the Telnet client.
interface interface-name: Indicates the source port used by the Telnet client.
/vrf vrf-name: Indicates the name of the virtual routing and forwarding (VRF) table to be queried.
Command Privileged EXEC mode
Mode
Usage Guide A user can telnet to a remote device identified by an IPv4 host name, IPv6 host name, IPv4 address, or IPv6
address.
Command do telnet [ oob ] host [ port ] [ /source { ip A.B.C.D | ipv6 X:X:X:X::X | interface interface-name } ] [ /vrf
vrf-name ]
Parameter oob: Remotely connects to a Telnet server through out-of-band communication (by using a management
Description port). This option is available only when the device has a management port.
host: Indicates the IPv4 address, IPv6 address, or host name of the Telnet server.
port: Indicates the TCP port number of the Telnet server. The default value is 23.
/source: Indicates the source IP address or source port used by a Telnet client.
ip A.B.C.D: Indicates the source IPv4 address used by the Telnet client.
ipv6 X:X:X:X::X: Indicates the source IPv6 address used by the Telnet client.
interface interface-name: Indicates the source port used by the Telnet client.
/vrf vrf-name: Indicates the name of the VRF table to be queried.
Command Privileged EXEC mode/configuration mode/interface configuration mode
Mode
Usage Guide A user can telnet to a remote device identified by an IPv4 host name, IPv6 host name, IPv4 address, or IPv6
address.
Command <1-99>
Parameter N/A
Description
Command User EXEC mode
Mode
Usage Guide Use this command to restore a Telnet client session. A user can press the shortcut key Ctrl+Shift+6 X to
temporarily exit the Telnet client session that is established using the telnet command, run the <1-99>
command to restore the session, and run the show sessions command to display the session information.
2-21
Configuration Guide Configuring Basic Management
Command lockable
2-22
Configuration Guide Configuring Basic Management
Parameter N/A
Description
Command Line configuration mode
Mode
Usage Guide N/A
Command lock
Parameter N/A
Description
Command Line configuration mode
Mode
Usage Guide N/A
Configuration Example
Configuration Establish a Telnet session to a remote network device with the IP address 192.168.65.119.
Steps Establish a Telnet session to a remote network device with the IPv6 address 2AAA:BBBB::CCCC.
Run the telnet command in privileged EXEC mode, and run the do telnet command in privileged
EXEC mode/configuration mode/interface configuration mode.
Password:
Password:
Password:
Verification Check whether the Telnet sessions are established to the remote network devices.
2-23
Configuration Guide Configuring Basic Management
Verification Check whether the connection between a terminal and the local device is closed when no input is
detected during the timeout time.
Verification Check whether the session between a terminal and the local device is disconnected when no input is
detected during the timeout time.
Configuration Steps
Mandatory.
Configure the system time of a network device manually. The device clock starts from the configured time and keeps
running even when the device is powered off.
The time configuration is applied only to the software clock if the network device does not provide a hardware clock.
The configuration will be invalid when the device is powered off.
Optional.
Perform this configuration when you need to copy the date and time of the software clock to the hardware clock so that
the hardware clock is synchronized with the software clock.
2-24
Configuration Guide Configuring Basic Management
(Optional) Perform this configuration when you need to display important prompts or warnings to users.
You can configure notification in one or multiple lines, which will be displayed to users after login.
(Optional) Perform this configuration when you need to display important messages to users upon login or logout.
(Optional) Perform this configuration to change the default Console baud rate.
Verification
Run the show version command to display the system information and version.
Related Commands
2-25
Configuration Guide Configuring Basic Management
Mode
Usage Guide After the configuration, the time of the software clock will overwrite that of the hardware clock.
2-26
Configuration Guide Configuring Basic Management
Configuration Example
Ruijie# clock set 10:10:12 6 20 2003 //Configure the system time and date.
Verification Run the show clock command in privileged EXEC mode to display the system time.
Ruijie# show clock //Confirm that the changed system time takes effect.
Configuration Configure the daily notification message "Notice: system will shutdown on July 6th." with the pound key
Steps (#) as the delimiter.
Ruijie(config)#
C:\>telnet 192.168.65.236
Password:
2-27
Configuration Guide Configuring Basic Management
Configuration Configure the login banner message "Access for authorized users only. Please enter your password."
Steps with the pound key (#) as the delimiter.
# //Ending delimiter
Ruijie(config)#
C:\>telnet 192.168.65.236
Password:
Ruijie(config-line)# speed 57600 //Set the console baud rate to 57,600 bps.
* 0 CON 57600 0
2-28
Configuration Guide Configuring Basic Management
Ruijie(config-line)# speed 57600 //Set the console baud rate to 57,600 bps.
^^x none ^M
never never
Modem: READY
Dynamically adjust system services when the system is running, and enable and disable specific services (SNMP
Agent, SSH Server, and Telnet Server).
Configuration Steps
Enabling the SNMP Agent, SSH Server, and Telnet Server Services
(Optional) Perform this configuration when you need to use these services.
Verification
Run the show services command to display the service Enabled/Disable state.
2-29
Configuration Guide Configuring Basic Management
Related Commands
Enabling the SSH Server, Telnet Server, and SNMP Agent Services
Configuration Example
Modify the path for saving startup configurations and the corresponding file name.
Notes
The startup configuration file name consists of a path and a file name. The path is mandatory. Otherwise, configurations
cannot be saved by using the write command. Take Flash:/ruijie/ruijie.text and Usb0:/ruijie/ruijie.text as examples,
where the Flash:/ruijie and Usb0:/ruijie folders must exist. In master-slave mode, all device paths are required.
To save the startup configuration file to a USB flash drive, the device must provided a USB interface with a USB flash
drive inserted. Otherwise, configurations cannot be saved by using the write command. In master-slave mode, all
devices must have USB flash drives connected.
Configuration Steps
2-30
Configuration Guide Configuring Basic Management
Modifying the Path for Saving Startup Configurations and the Corresponding File Name
(Optional) Perform this configuration when you need to modify the startup configuration file.
Verification
Run the show boot config command to display the path for saving startup configurations and the corresponding file
name.
Related Commands
Modifying the Path for Saving Startup Configurations and the Corresponding File Name
Command
boot config { flash:filename | usb0:filename }
Parameter
flash: Saves the startup configuration file in the extensible Flash.
Description
usb0: Saves the startup configuration file in USB0 device. The device must have a USB interface into which
a USB flash drive is inserted.
Command
Global configuration mode
Mode
Usage Guide
Use this command to modify the path for saving startup configurations and the corresponding file name.
Configuration Example
Ruijie(config)# boot config flash:/ruijie.text//Change the path and file name into
flash:/ruijie.text.
Verification Run the show boot config command to display the path for saving startup configurations and the
corresponding file name.
Notes
2-31
Configuration Guide Configuring Basic Management
With the zero configuration function, DHCP Snooping Trust is enabled only on the last two electrical ports and all SFP
ports of the device by default, regardless of whether the device supports the MGMT port.
Enabling and disabling the zero configuration function will delete the startup configuration file of the device and trigger
device restart.
Configuration Steps
(Optional) Perform this configuration when you need to enable or disable the zero configuration function.
Verification
Run the show zcm mod command to check whether the zero configuration function is enabled.
Related Commands
Command
zcm { enable | disable }
Parameter
enable: Enables the zero configuration function.
Description
disable: Disables the zero configuration function.
Command
Privileged EXEC mode
Mode
Usage Guide
Use this command to enable and disable the zero configuration function.
Configuration Example
*Sep 29 12:36:20: %ZCM-5-MODE_SWITCH: The device is reloading due to zero or non-zero configuration
mode switch.
Verification Run the show zcm mode command to display whether the zero configuration function is enabled.
2-32
Configuration Guide Configuring Basic Management
Configuration Steps
Run the reload command in privileged EXEC mode to restart the system immediately.
If you configure a specific time, the system will restart at the time. The time must be a time in the future. The month day year
parameter is optional. If it is not specified, the system clock time is used by default.
The clock feature must be supported by the system if you want to use the at option. It is recommended that you
configure the system clock in advance. A new restart plan will overwrite the existing one. A restart plan will be invalid if
the system is restarted before the plan takes effect.
The restart time must be later than the current system time. After you configure a restart plan, do not change the system
clock; otherwise, the plan may fail (for example, the system time is changed to a time after the restart time.)
Related Commands
Restarting a Device
Configuration Steps
Run the execute command, with the path set to the batch file to be executed.
2-33
Configuration Guide Configuring Basic Management
You can specify the name and content of the batch file on your PC and transfer the file to the device flash memory
through TFTP. The batch processing content simulates user input. Therefore, you need to edit the batch file content
according to the CLI command configuration sequence. In addition, you need to write the responses to interactive
commands to the batch file to ensure normal command execution.
The batch file size must not exceed 128 KB; otherwise, it will fail to be executed. You can divide a large batch file into
multiple parts not larger than 128 KB each.
Related Commands
2.5 Monitoring
Displaying
Description Command
show boot config Displays the save path and file name.
show clock Displays the current system time.
show line { aux line-num | console line-num | tty
Displays line configurations.
line-num | vty line-num | line-num }
show reload Displays system restart settings.
Displays the current running configurations of the device or the
show running-config [ interface interface ]
configurations on an interface.
show startup-config Displays the device configurations stored in the NVRAM.
show this Displays the current system configurations.
show version [ devices | module | slots ] Displays system information.
show sessions Displays the information of each established Telnet client
instance.
2-34
Configuration Guide Configuring Lines
3 Configuring Lines
3.1 Overview
There are various types of terminal lines on network devices. You can manage terminal lines in groups based on their types.
Configurations on these terminal lines are called line configurations. On network devices, terminal lines are classified into
multiple types such as CTY, TTY, AUX, and VTY.
3.2 Applications
Application Description
Accessing a Device Through Enter the command-line interface (CLI) of a network device through the Console.
Console
Accessing a Device Through VTY Enter the CLI of a network device through Telnet or SSH.
Figure 3-1
Deployment
The network management station connects to the Console port of a network device through a serial cable. Using the Console
software (Hyper Terminal or other terminal simulation software) on the network management station, you can access the
Console of the network device and enter the CLI to configure and manage the network device.
Figure 3-2
3-1
Configuration Guide Configuring Lines
Deployment
The network management station connects to a network device through the network. Using a VTY client (such as Putty) on
the network management station, you can access the network device through Telnet or SSH and enter the CLI to configure
and manage the network device.
3.3 Features
Basic Concepts
CTY
The CTY line refers to the line connected to the Console port. Most network devices have a Console port. You can access
the local system through the Console port.
VTY
The VTY line is a virtual terminal line that does not correspond to any hardware. It is used for Telnet or SSH connection.
Overview
Feature Description
Basic Features Configures a terminal, displays and clears terminal connection information.
Run the line command in global configuration mode to enter the configuration mode of a specified line.
When a terminal connects to the network device, the corresponding terminal line is occupied. Run the show user command
to display the connection status of these terminal lines. If you want to disconnect the terminal from the network device, run
the clear line command to clear the terminal line. After the terminal lines are cleared, the related connections (such as Telnet
3-2
Configuration Guide Configuring Lines
and SSH) are interrupted, the CLI exits, and the terminal lines restore to the unoccupied status. Users can re-establish
connections.
Run the line vty command to enter the VTY line configuration mode and specify the number of VTY terminals.
By default, there are 5 VTY terminals, numbered from 0 to 4. You can increase the number of VTY terminals to 36, with new
ones numbered from 5 to 35. Only new terminals can be removed.
3.4 Configuration
Configuration Steps
Mandatory.
Unless otherwise specified, enter line configuration mode on each device to configure line attributes.
Optional.
Run the (no) line vty line-number command to increase or reduce the number of VTY lines.
Verification
Related Commands
3-3
Configuration Guide Configuring Lines
Usage Guide Run the no line vty line-number command to reduce the number of available VTY lines.
Configuration Example
Scenario
Figure 3-3
Configuration Connect the PC to network device A through the Console line and enter the CLI on the PC.
Steps Run the show user command to display the connection status of the terminal line.
Run the show line console 0 command to display the status of the Console line.
Enter global configuration mode and run the line vty command to increase the number of VTY
terminals to 36.
A
Ruijie#show user
3-4
Configuration Guide Configuring Lines
* 0 CON 9600 0
^^x ^D ^M
00:10:00 never
Ruijie#configure terminal
Ruijie(config)#line vty 35
Ruijie(config-line)#
Verification After running the show line command, you can find that the number of terminals increases.
Run the show running-config command to display the configuration.
A
Ruijie#show line vty ?
3-5
Configuration Guide Configuring Lines
Ruijie#show running-config
Building configuration...
ip tcp not-send-rst
vlan 1
interface Mgmt 0
line con 0
line vty 0 35
login
3-6
Configuration Guide Configuring Lines
end
Configuration Steps
Optional.
Run the absolute-timeout command to ensure that a line is disconnected after the specified time.
Configuring the Character You Enter at a Vacant Terminal to Begin a Terminal Session
Optional.
Run the activation-character command in line configuration mode to configure a character to activate a terminal.
Optional.
Run the autocommand command in line configuration mode to enable automatic command execution on terminals
with asynchronous ports.
Configuring the Number of Data Bits per Character for Physical Terminal Connections
Optional.
Optional.
Optional.
Optional.
3-7
Configuration Guide Configuring Lines
Configuring the Start Character of Software Flow Control for Physical Terminal Connections
Optional.
Configuring the Stop Character of Software Flow Control for Physical Terminal Connections
Optional.
Configuring the Number of Stop Bits per Byte for Physical Terminal Connections
Optional.
Optional.
Verification
Related Commands
Configuring the Character You Enter at a Vacant Terminal to Begin a Terminal Session
3-8
Configuration Guide Configuring Lines
Configuring the Number of Data Bits per Character for Physical Terminal Connections
Command exec-character-bits { 7 | 8 }
Parameter 7: Selects the 7-bit ASCII character set.
Description 8: Selects the 8-bit ASCII character set.
Command Line configuration mode
Mode
Usage Guide If you need to enter Chinese characters or display Chinese characters, images, or other international
characters in the command line, run the exec-character-bits 8 command.
3-9
Configuration Guide Configuring Lines
the Rx rate of the peer end. Since terminals cannot receive data while sending data, flow control serves to
prevent data loss. When high-data-rate devices communicate with low-rate-data devices (e.g., a printer
communicates with a network port), you also need to enable flow control to prevent data loss. Ruijie general
operating system (RGOS) provides two flow control modes: software flow control (controlled with control
keys) and hardware flow control (controlled by hardware). The default stop character and start character for
software flow control are respectively Ctrl+S (XOFF, with the ASCII value 19) and Ctrl+Q (XON, with the
ASCII value 17). You can also run the stop-character and start-character commands to configure them.
Configuring the Start Character of Software Flow Control for Physical Terminal Connections
Configuring the Stop Character of Software Flow Control for Physical Terminal Connections
Configuring the Number of Stop Bits per Byte for Physical Terminal Connections
Command stopbits { 1 | 2 }
Parameter 1: Indicates one stop bit.
Description 2: Indicates two stop bits.
Command Line configuration mode
3-10
Configuration Guide Configuring Lines
Mode
Usage Guide You should configure the stop bits for communication between the asynchronous line and the connected
network device (such as a conventional numb terminal and modem).
Configuration Example
Configuring the Baud Rate, Data Bits, Parity Bits, and Stop Bits
Scenario
Figure 3-4
Configuration Connect the PC to network device A through the Console line and enter the CLI on the PC.
Steps Configure the baud rate, data bits, parity bit, and stop bits in global configuration mode.
Run the show line console 0 command to display the status of the Console line.
A
Ruijie#configure terminal
Ruijie(config)#line console 0
Ruijie(config-line)#speed 115200
Ruijie(config-line)#databits 8
Ruijie(config-line)#parity even
Ruijie(config-line)#stopbits 1
* 0 CON 115200 0
3-11
Configuration Guide Configuring Lines
^^x none
00:10:00 never
Ruijie#show running-config
Building configuration...
ip tcp not-send-rst
vlan 1
3-12
Configuration Guide Configuring Lines
line con 0
parity even
stopbits 1
speed 115200
line vty 0 35
login
end
Configuration Steps
Configuring the Number of Data Bits per Character for the Current Session
Optional.
Optional.
Optional.
3-13
Configuration Guide Configuring Lines
Optional.
Configuring the Start Character of Software Flow Control for the Current Session
Optional.
Configuring the Stop Character of Software Flow Control for the Current Session
Optional.
Configuring the Number of Stop Bits in Each Byte for the Current Session
Optional.
Configuring the Type of Terminal Connected to the Current Line for the Current Session
Optional.
Verification
Related Commands
Configuring the Number of Data Bits per Character for the Current Session
3-14
Configuration Guide Configuring Lines
Mode
Usage Guide If you need to enter Chinese characters or display Chinese characters, images, or other international
characters in the command line, run the terminal exec-character-bits 8 command.
Configuring the Parity Bit of the Asynchronous Line for the Current Session
Configuring the Start Character of Software Flow Control for the Current Session
Configuring the Stop Character of Software Flow Control for the Current Session
3-15
Configuration Guide Configuring Lines
Configuring the Type of Terminal Connected to the Current Line for the Current Session
Configuration Example
Scenario
Figure 3-5
Configuration Connect the PC to network device A through the Console line and enter the CLI on the PC.
Steps Configure the terminal type and baud rate of the terminal in privileged EXEC mode.
A
Ruijie#terminal terminal-type ansi
Verification Run the show line console 0 command to display the status of the Console line.
A
Ruijie#show line console 0
* 0 CON 115200 0
^^x none
3-16
Configuration Guide Configuring Lines
00:10:00 never
3.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears the line connection status. clear line { console line-num | vty line-num | line-num }
Displaying
Description Command
Displays the line configuration. show line { console line-num | vty line-num | line-num }
Displays historical records of a line. show history
Displays the privilege level of a line. show privilege
Displays users on a line. show user [ all ]
3-17
Configuration Guide Configuring Time Range
4.1 Overview
Time Range is a time-based control service that provides some applications with time control. For example, you can
configure a time range and associate it with an access control list (ACL) so that the ACL takes effect within certain time
periods of a week.
An organization allows users to access the Telnet service on a remote Unix host during working hours only, as shown in
Figure 4-1.
Figure 4-1
Note
Configure an ACL on device B to implement the following security function:
Hosts in network segment 192.168.12.0/24 can access the Telnet service on a remote Unix host during normal
4-1
Configuration Guide Configuring Time Range
Functional Deployment
On device B, apply an ACL to control Telnet service access of users in network segment 192.168.12.0/24. Associate
the ACL with a time range, so that the users' access to the Unix host is allowed only during working hours.
Basic Concepts
The absolute time range is a time period between a start time and an end time. For example, [12:00 January 1 2000, 12:00
January 1 2001] is a typical absolute time range. When an application based on a time range is associated with the time
range, a certain function can be effective within this time range.
Periodic Time
Periodic time refers to a periodical interval in the time range. For example, “from 8:00 every Monday to 17:00 every Friday” is
a typical periodic time interval. When a time-based application is associated with the time range, a certain function can be
effective periodically from every Monday to Friday.
Features
Feature Function
Using Absolute Time Sets an absolute time range for a time-based application, so that a certain function takes effect within
Range the absolute time range.
Using Periodic Time Sets periodic time or a time-based application, so that a certain function takes effect within the
periodic time.
When a time-based application enables a certain function, it determines whether current time is within the absolute time
range. If yes, the function is effective or ineffective at the current time depending on specific configuration.
Working Principle
When a time-based application enables a certain function, it determines whether current time is within the period time. If yes,
the function is effective or ineffective at the current time depending on specific configuration.
4-2
Configuration Guide Configuring Time Range
absolute { [start time date] | [end time date] } Configures an absolute time range.
periodic day-of-the-week time to
Configures periodic time.
[day-of-the-week] time
Configure a time range, which may be an absolute time range or a periodic time interval, so that a time-range-based
application can enable a certain function within the time range.
Configuration Method
Mandatory configuration.
Optional configuration.
Optional configuration.
Verification
Use the show time-range [time-range-name] command to check time range configuration information.
Related Commands
4-3
Configuration Guide Configuring Time Range
Function Command
Displays time range configuration. show time-range [ time-range-name ]
4-4
Configuration Guide Configuring HTTP Service
5.1 Overview
Hypertext Transfer Protocol (HTTP) is used to transmit Web page information on the Internet. It is at the application layer of
the TCP/IP protocol stack. The transport layer adopts connection-oriented Transmission Control Protocol (TCP).
Hypertext Transfer Protocol Secure (HTTPS) is an HTTP supporting the Secure Sockets Layer (SSL) protocol. HTTPS is
mainly used to create a secure channel on an insecure network, ensure that information can hardly be intercepted, and
provide certain reasonable protection against main-in-the-middle attacks. At present, HTTPS is widely used for secure and
sensitive communication on the Internet, for example, electronic transactions.
5.2 Applications
Application Description
HTTP Application Service Users manage devices based on Web.
After the HTTP service is enabled, users can access the Web management page after passing authentication by only
entering http://IP address of a device in the browser of a PC. On the Web page, users you can monitor the device status,
configure devices, upload and download files.
Users can remotely access devices on the Internet or configure and manage devices on the Local Area Network (LAN)
by logging in to the Web server.
According to actual conditions, users can choose to enable the HTTPS or HTTP service or enable the HTTPS and
HTTP services at the same time.
Users can also access the HTTP service of devices by setting and using HTTP/1.0 or HTTP/1.1 in the browser.
5-1
Configuration Guide Configuring HTTP Service
Figure 5-1
A is a Ruijie device.
Remarks User 1 accesses the device through the Internet.
User 2 accesses the device through a LAN.
Deployment
When a device runs HTTP, users can access the device by entering http://IP address of the device in the browser of a
PC.
When a device runs HTTPS, users can access the device by entering https://IP address of the device in the browser
of a PC.
5.3 Features
Basic Concepts
HTTP Service
The HTTP service refers to transmission of Web page information on the Internet by using HTTP. HTTP/1.0 is currently an
HTTP version that is the most widely used. As one Web server may receive thousands or even millions of access requests,
HTTP/1.0 adopts the short connection mode to facilitate connection management. One TCP connection is established for
each request. After a request is completed, the TCP connection is released. The server does not need to record or trace
previous requests. Although HTTP/1.0 simplifies connection management, HTTP/1.0 introduces performance defects.
For example, a web page my need lots of pictures. However, the web page contains not real picture contents but URL
connection addresses of the pictures. In this case, the browser sends multiple requests during access. Each request requires
establishing an independent connection and each connection is completely isolated. Establishing and releasing connections
is a relatively troublesome process, which severely affects the performance of the client and server, as shown in the following
figure:
Figure 5-2
5-2
Configuration Guide Configuring HTTP Service
HTTP/1.1 overcomes the defect. It supports persistent connection, that is, one connection can be used to transmit multiple
requests and response messages. In this way, a client can send a second request without waiting for completion of the
previous request. This reduces network delay and improves performance. See the following figure:
Figure 5-3
Which HTTP version will be used by a device is decided by the Web browser.
HTTPS Service
The HTTPS service adds the SSL based on the HTTP service. Its security basis is the SSL. To run HTTPS properly, a server
must have a Public Key Infrastructure (PKI) certificate while a client may not necessarily need one. The SSL protocol
provides the following services:
Authenticating users and servers and ensuring that data is sent to the correct client and server.
Maintaining data integrity and ensuring that data is not changed during transmission.
Figure 5-4
5-3
Configuration Guide Configuring HTTP Service
During a local upgrade, a device serves as an HTTP server. Users can log in to the device through a Web browser and
upload upgrade files to the device to realize file upgrade on the device.
Features
Feature Description
HTTP Service Users log in to devices through Web pages to configure and manage devices.
Local HTTP Upgrade Upgrade files are uploaded to a device to realize file upgrade on the device.
Service
Working Principle
Web management covers Web clients and Web servers. Similarly, the HTTP service also adopts the client/server mode. The
HTTP client is embedded in the Web browser of the Web management client. It can send HTTP packets and receive HTTP
response packets. The Web server (namely HTTP server) is embedded in devices. The information exchange between the
client and the server is as follows:
A TCP connection is established between the client and the server. The default port ID of the HTTP service is 80 and
the default port ID of the HTTPS service is 443.
The server resolves the request message sent by the client. The request content includes obtaining a Web page,
executing a CLI command, and uploading a file.
After executing the request content, the server sends a response message to the client.
Related Configuration
5-4
Configuration Guide Configuring HTTP Service
The enable service web-server command can be used to enable HTTP service functions, including the HTTP service and
HTTPS service.
The HTTP service must be enabled so that users can log in to devices through Web pages to configure and manage devices.
By default, the system creates the admin account. The account cannot be deleted and only the password of the account can
be changed. The administrator account is the admin account, which corresponds to the level 0 permission. The administrator
account owns all permissions on the Web client and can edit other management accounts and authorize the accounts to
access pages. The new accounts that are added correspond to the level 1 permission.
The webmaster level command can be used to configure an authenticated user name and a password.
After this command is run, you need to enter the configured user name and password to log in to the Web page.
The http port command can be used to configure an HTTP service port ID. The value range of the port ID is 80 and 1025 to
65535.
By configuring an HTTP service port ID, you can reduce the number of attacks initiated by illegal users on the HTTP service.
The http secure-port command can be used to configure an HTTPS service port ID. The value range of the port ID is 443
and 1025 to 65535.
By configuring an HTTPS service port ID, you can reduce the number of attacks initiated by illegal users on the HTTPS
service.
Working Principle
A component package or Web package is uploaded through the local upgrade function provided by Web.
After successfully receiving a file, the device checks the version for its validity.
After the file check is successful, if the file is a Web package, perform the upgrade directly; if the file is a component
package, decide whether to perform the upgrade in the browser by restarting the device.
5-5
Configuration Guide Configuring HTTP Service
Related Configuration
Run the upgrade web download command to download a Web package from the TFTP server.
After the command is run, download a Web package from the TFTP server. After the package passes the validity check,
directly use the Web package for upgrade without restarting the device.
You can also run the upgrade web command to directly upgrade a Web package stored locally.
By default, a device does not upgrade subsystem components uploaded through a browser or TFTP.
To upgrade a subsystem component, you must restart the device.
5.4 Configuration
After the HTTP service is enabled on a device, users can log in to the Web management page after passing authentication
and monitor the device status, configure devices, upload and download files.
Configuration Steps
Mandatory
5-6
Configuration Guide Configuring HTTP Service
If there is no special requirement, enable the HTTP service on Ruijie devices. Otherwise, the Web service is
inaccessible.
By default, the user name admin and the password admin are configured.
If there is no special requirement, you can log in to the Web page by using the default user name and directly update
authentication information through the Web browser. If you always use the default account, security risks may exist
because unauthorized personnel can obtain device configuration information once the IP address is disclosed.
If an HTTP service port needs to be changed, the HTTP service port must be configured.
If there is no special requirement, the default HTTP service port 80 can be used for access.
If an HTTPS service port needs to be changed, the HTTPS service port must be configured.
If there is no special requirement, the default HTTPS service port 443 can be used for access.
Verification
Enter http://IP address of the device: service port to check whether the browser skips to the authentication page.
Enter https://IP address of the device: service port to check whether the browser skips to the authentication page.
Related Commands
5-7
Configuration Guide Configuring HTTP Service
User names and passwords involve three permission levels: Up to 10 user names and passwords can
be configured for each permission level.
By default, the system creates the admin account. The account cannot be deleted and only the
password of the account can be changed. The administrator account is the admin account, which
corresponds to the level 0 permission. The administrator account owns all permissions on the Web
client and can edit other management accounts and authorize the accounts to access pages. The new
accounts that are added correspond to the level 1 permission.
5-8
Configuration Guide Configuring HTTP Service
Configuration Example
Managing one Ruijie Device by Using Web and Logging in to the Device through a Web Browser to Configure
Related Functions
To improve security, the Web browser is required to support both HTTP and HTTPS for access.
The user is required to configure an HTTP service port to reduce the number of attacks initiated by illegal users on
HTTP.
Scenario
Figure 5-5
Configuratio Enable the HTTP and HTTPS services at the same time.
n Steps Set the HTTP service port ID to 8080 and the HTTPS service port ID to 4430.
A
A#configure terminal
Common Errors
If the HTTP service port is not the default port 80 or 443, you must enter a specific configured service port in the
browser. Otherwise, you cannot access devices on the Web client.
Perform an HTTP upgrade through the browser or the upgrade web command.
5-9
Configuration Guide Configuring HTTP Service
Notes
So long as a Web package is uploaded successfully and passes the version check, the device directly performs an
upgrade based on the latest Web package.
The upgrade web download command is used to automatically download files from the TFTP server and automatically
perform an upgrade.
The upgrade web command is used to automatically upgrade the Web package in the local file system.
Configuration Steps
N/A
Verification
Access and view the latest Web page through the browser.
Related Commands
Configuration Example
Obtaining the Latest Web Package from the Official Website and Running the Web Package
Scenario
Figure 5-6
5-10
Configuration Guide Configuring HTTP Service
Configuration Connect to a local PC whose IP address is 10.10.10.13 and assign an IP address 10.10.10.131 in the
Steps same network segment to the device.
Log in to the device through Web and upload the latest Web package to the device.
A
A#configure terminal
A(config)# vlan 1
A(config-vlan)# exit
On a PC, use the local upgrade function on the Web page to upload a Web package for upgrade.
Verification On the PC, log in to the device through Web again and check whether the latest Web page is displayed.
Scenario
Figure 5-7
Configuration Connect to a local PC whose IP address is 10.10.10.13 and assign an IP address 10.10.10.131 in the
Steps same network segment to the device.
Start the TFTP server.
A
A#configure terminal
A(config)# vlan 1
A(config-vlan)# exit
!!!!!!!!
Verification On the PC, log in to the device through Web again and check whether the latest Web page is displayed.
5-11
Configuration Guide Configuring HTTP Service
Scenario
Figure 5-8
Configuration Connect to a local PC whose IP address is 10.10.10.13 and assign an IP address 10.10.10.131 in the
Steps same network segment to the device.
Start the TFTP server.
A
A#configure terminal
A(config)# vlan 1
A(config-vlan)# exit
!!!!!!!!
A #
Verification On the PC, log in to the device through Web again and check whether the latest Web page is displayed.
Common Errors
Access to the web page through the browser shows that the web page is not updated based on the latest Web package.
This is possibly because the local browser has a cache. Clear the cache of the local browser and access the Web page
again.
5.5 Monitoring
Displaying
Description Command
5-12
Configuration Guide Configuring HTTP Service
5-13
Configuration Guide Configuring Syslog
6 Configuring Syslog
6.1 Overview
Status changes (such as link up and down) or abnormal events may occur anytime. Ruijie products provide the syslog
mechanism to automatically generate messages (log packets) in fixed format upon status changes or occurrence of events.
These messages are displayed on the related windows such as the Console or monitoring terminal, recorded on media such
as the memory buffer or log files, or sent to a group of log servers on the network so that the administrator can analyze
network performance and identify faults based on these log packets. Log packets can be added with the timestamps and
sequence numbers and classified by severity level so that the administrator can conveniently read and manage log packets.
RFC5424: The_Syslog_Protocol
6.2 Applications
Application Description
Sending Syslogs to the Console Monitor syslogs through the Console.
Sending Syslogs to the Log Server Monitor syslogs through the server.
Send syslogs to the Console to facilitate the administrator to monitor the performance of the system. The requirements are
as follows:
Deployment
6-1
Configuration Guide Configuring Syslog
1. Set the level of logs that can be sent to the Console to informational (Level 6).
4. Set the filtering rule of logs to single-match. The module name contains only ARP or IP.
Send syslogs to the log server to facilitate the administrator to monitor the logs of devices on the server. The requirements
are as follows:
3. Send syslogs from the source interface Loopback 0 to the log server.
Deployment
2. Set the level of logs that can be sent to the log server to debugging (Level 7).
3. Set the source interface of logs sent to the log server to Loopback 0.
6.3 Features
Basic Concepts
Classification of Syslogs
Log type
Debug type
Levels of Syslogs
6-2
Configuration Guide Configuring Syslog
Eight severity levels of syslogs are defined in descending order, including emergency, alert, critical, error, warning,
notification, informational, and debugging. These levels correspond to eight numerical values from 0 to 7. A smaller value
indicates a higher level.
Only logs with a level equaling to or higher than the specified level can be output. For example, if the level of logs is set to
informational (Level 6), logs of Level 6 or higher will be output.
Output directions of syslogs include Console, monitor, server, buffer, and file. The default level and type of logs vary with the
output direction. You can customize filtering rules for different output directions.
If the output direction is the Console, monitor, buffer, or file, the syslog format is as follows:
For example, if you exit configuration mode, the following log is displayed on the Console:
If the output direction is the log server, the syslog format is as follows:
6-3
Configuration Guide Configuring Syslog
For example, if you exit configuration mode, the following log is displayed on the log server:
4. Priority
This field is valid only when logs are sent to the log server.
The priority is calculated using the following formula: Facility x 8 + Level Level indicates the numerical code of the log level
and Facility indicates the numerical code of the facility. The default facility value is local7 (23). The following table lists the
value range of the facility.
5. Sequence Number
The sequence number of a syslog is a 6-digit integer, and increases sequentially. By default, the sequence number is not
displayed. You can run a command to display or hide this field.
6. Timestamp
6-4
Configuration Guide Configuring Syslog
The timestamp records the time when a syslog is generated so that you can display and check the system event
conveniently. Ruijie devices support two syslog timestamp formats: datetime and uptime.
If the device does not have the real time clock (RTC), which is used to record the system absolute time, the device
uses its startup time (uptime) as the syslog timestamp by default. If the device has the RTC, the device uses its
absolute time (datetime) as the syslog timestamp by default.
Datetime format
By default, the datetime timestamp displayed in the syslog does not contain the year and millisecond. You can run a
command to display or hide the year and millisecond of the datetime timestamp.
Uptime format
dd:hh:mm:ss
The timestamp string indicates the accumulated days, hours, minutes, and seconds since the system is started.
7. Sysname
This field indicates the name of the device that generates the log so that the log server can identify the host that sends the
log. By default, this field is not displayed. You can run a command to display or hide this field.
8. Module
This field indicates the name of the module that generates the log. The module name is an upper-case string of 2 to 20
characters, which contain upper-case letters, digits, or underscores. The module field is mandatory in the log-type
information, and optional in the debug-type information.
9. Level
Eight syslog levels from 0 to 7 are defined. The level of syslogs generated by each module is fixed and cannot be modified.
6-5
Configuration Guide Configuring Syslog
10. Mnemonic
This field indicates the brief information about the log. The mnemonic is an upper-case string of 4 to 32 characters, which
may include upper-case letters, digits, or underscore. The mnemonic field is mandatory in the log-type information, and
optional in the debug-type information.
11. Content
For example, if you exit configuration mode, the following log is displayed on the Console:
12. Priority
The priority is calculated using the following formula: Facility x 8 + Level. Level indicates the numerical code of the log level
and Facility indicates the numerical code of the facility. When the RFC5424 format is enabled, the default value of the facility
field is local0 (16).
13. Version
14. Timestamp
The timestamp records the time when a syslog is generated so that you can display and check the system event
conveniently. Ruijie devices use the following uniformed timestamp format when the RFC5424 logging function is enabled:
YYYY-MM-DDTHH:MM:SS.SECFRACZ
15. Sysname
6-6
Configuration Guide Configuring Syslog
This field indicates the name of the device that generates the log so that the log server can identify the host that sends the
log.
16. Module
This field indicates the name of the module that generates the log. The module name is an upper-case string of 2 to 20
characters, which contain upper-case letters, digits, or underscores. The module field is mandatory in the log-type
information, and optional in the debug-type information.
17. Level
Eight syslog levels from 0 to 7 are defined. The level of syslogs generated by each module is fixed and cannot be modified.
18. Mnemonic
This field indicates the brief information about the log. The mnemonic is an upper-case string of 4 to 32 characters, which
contain upper-case letters, digits, or underscores. The Mnemonic field is mandatory in the log-type information, and optional
in the debug-type information.
19. Structured-Data
Structured-data introduced in RFC5424 is parsed as a whole string containing parameter information. Each log may contain
0 or multiple parameters. If a parameter is null, replace this parameter with a placeholder (-). The format of this field is as
follows:
[SD_ID@enterpriseID PARAM-NAME=PARAM-VALUE]
http://www.iana.org/assignments/enterprise-numbers
20. description
6-7
Configuration Guide Configuring Syslog
Overview
Feature Description
Logging Enable or disable the system logging functions.
Syslog Format Configure the syslog format.
Logging Direction Configure the parameters to send syslogs in different directions.
Syslog Filtering Configure parameters of the syslog filtering function.
Featured Logging Configure parameters of the featured logging function.
Syslog Monitoring Configure parameters of the syslog monitoring function.
6.3.1 Logging
Enable or disable the logging, log redirection, and log statistics functions.
Related Configuration
Enable Logging
Run the logging on command to enable logging in global configuration mode. After logging is enabled, logs generated by
the system are sent in various directions for the administrator to monitor the performance of the system.
Run the logging rd on command to enable log redirection in global configuration mode. After log redirection is enabled, logs
generated by the standby device or standby supervisor module are redirected to the active device or active supervisor
module on the VSU to facilitate the administrator to manage logs.
Run the logging count command to enable log statistics in global configuration mode. After log statistics is enabled, the
system records the number of times a log is generated and the last time when the log is generated.
Related Configuration
6-8
Configuration Guide Configuring Syslog
After the new format (RFC5424 log format) is enabled, the service sequence-numbers, service sysname, service
timestamps, service private-syslog, and service standard-syslog that are applicable only to the old format (RFC3164 log
format) lose effect and are hidden.
After the old format (RFC3164 log format) is enabled, the logging delay-send, logging policy, and logging statistic
commands that are applicable only to the RFC5424 log format lose effect and are hidden.
After log format switchover, the outputs of the show logging and show logging config commands change accordingly.
By default, the syslog uses the datetime timestamp format, and the timestamp does not contain the year and millisecond.
Run the service timestamps command in global configuration mode to use the datetime timestamp format that contains the
year and millisecond in the syslog, or change the datetime format to the uptime format.
Run the service sysname command in global configuration mode to add sysname to the syslog.
Run the service sequence-numbers command in global configuration mode to add the sequence number to the syslog.
Run the service standard-syslog command in global configuration mode to enable the standard log format and logs are
displayed in the following format:
Compared with the default log format, an asterisk (*) is missing in front of the timestamp, and a colon (:) is missing at the end
of the timestamp in the standard log format.
Run the service private-syslog command in global configuration mode to enable the private log format and logs are
displayed in the following format:
Compared with the default log format, an asterisk (*) is missing in front of the timestamp, a colon (:) is missing at the end of
the timestamp, and a percent sign (%) is missing at the end of the module name in the private log format.
6-9
Configuration Guide Configuring Syslog
Related Configuration
Run the logging synchronous command in line configuration mode to synchronize user input with log output. After this
function is enabled, user input will not be interrupted.
Run the logging rate-limit { number | all number | console {number | all number } } [ except [ severity ] ] command in global
configuration mode to configure the log rate limit.
By default, a maximum of 200 logs are redirected from the standby device to the active device of VSU per second.
Run the logging rd rate-limit number [ except severity ] command in global configuration mode to configure the log
redirection rate limit, that is, the maximum number of logs that are redirected from the standby device to the active device or
from the standby supervisor module to the active supervisor module per second.
By default, the level of logs sent to the Console is debugging (Level 7).
Run the logging console [ level ] command in global configuration mode to configure the level of logs that can be sent to the
Console.
Run the terminal monitor command in the privileged EXEC mode to send logs to the monitor terminal.
By default, the level of logs sent to the monitor terminal is debugging (Level 7).
Run the logging monitor [ level ] command in global configuration mode to configure the level of logs that can be sent to the
monitor terminal.
By default, logs are written into the memory buffer, and the default level of logs is debugging (Level 7).
6-10
Configuration Guide Configuring Syslog
Run the logging buffered [ buffer-size ] [ level ] command in global configuration mode to configure parameters for writing
logs into the memory buffer, including the buffer size and log level.
Run the logging server { ip-address | ipv6 ipv6-address } [ udp-port port ] command in global configuration mode to send
logs to a specified log server.
By default, the level of logs sent to the log server is informational (Level 6).
Run the logging trap [ level ] command in global configuration mode to configure the level of logs that can be sent to the log
server.
If the RFC5424 log format is disabled, the facility value of logs sent to the log server is local7 (23) by default. If the RFC5424
log format is enabled, the facility value of logs sent to the log server is local0 (16) by default.
Run the logging facility facility-type command in global configuration mode to configure the facility value of logs sent to the
log server.
By default, the source address of logs sent to the log server is the IP address of the interface sending logs.
Run the logging source [ interface ] interface-type interface-number command to configure the source interface of logs. If
this source interface is not configured, or the IP address is not configured for this source interface, the source address of logs
is the IP address of the interface sending logs.
Run the logging source { ip ip-address | ipv6 ipv6-address } command to configure the source IP address of logs. If this IP
address is not configured on the device, the source address of logs is the IP address of the interface sending logs.
By default, logs are not written into log files. After the function of writing logs into log files is enabled, the level of logs written
into log files is informational (Level 6) by default.
Run the logging file {flash:filename } [ max-file-size ] [ level ] command in global configuration mode to configure
parameters for writing logs into log files, including the type of device where the file is stored, file name, file size, and log level.
Run the logging file numbers numbers command in global configuration mode to configure the number of log files.
Configuring the Interval at Which Logs Are Written into Log Files
By default, logs are written into log files at the interval of 3600s (one hour).
6-11
Configuration Guide Configuring Syslog
Run the logging flash interval seconds command in global configuration mode to configure the interval at which logs are
written into log files.
Run the logging life-time level level days command in global configuration mode to configure the storage time of logs. The
administrator can specify different storage days for logs of different levels.
By default, syslogs are stored in the syslog buffer and then written into log files periodically or when the buffer is full.
Run the logging flash flush command in global configuration mode to immediately write logs in the buffer into log files so
that you can collect logs conveniently.
Working Principle
Filtering Direction
buffer: Filters out logs sent to the log buffer, that is, logs displayed by the show logging command.
terminal: Filters out logs sent to the Console and monitor terminal (including Telnet and SSH).
The four filtering directions can be used either in combinations to filter out logs sent in various directions, or separately to
filter out logs sent in a single direction.
Filtering Mode
contains-only: Indicates that only logs that contain keywords specified in the filtering rules are output. You may be
interested in only a specified type of logs. In this case, you can apply the contains-only mode on the device to display
only logs that match filtering rules on the terminal, helping you check whether any event occurs.
filter-only: Indicates that logs that contain keywords specified in the filtering rules are filtered out and will not be output.
If a module generates too many logs, spamming may occur on the terminal interface. If you do not care about this type
of logs, you can apply the filter-only mode and configure related filtering rules to filter out logs that may cause
spamming.
The two filtering modes are mutually exclusive, that is, you can configure only one filtering mode at a time.
Filter Rule
6-12
Configuration Guide Configuring Syslog
exact-match: If exact-match is selected, you must select all the three filtering options (module, level, and mnemonic). If
you want to filter out a specified log, use the exact-match filtering rule.
single-match: If exact-match is selected, you only need to select one of the three filtering options (module, level, and
mnemonic). If you want to filter out a specified type of logs, use the single-match filtering rule.
If the same module, level, or mnemonic is configured in both the single-match and exact-match rules, the single-match rule
prevails over the exact-match rule.
Related Configuration
By default, the log filtering direction is all, that is, logs sent in all directions are filtered.
Run the logging filter direction { all | buffer | file | server | terminal } command in global configuration mode to configure
the log filtering direction to filter out logs in the specified directions.
Run the logging filter type { contains-only | filter-only } command in global configuration mode to configure the log filtering
mode.
By default, no log filtering rule is configured on a device, that is, logs are not filtered out.
Run the logging filter rule exact-match module module-name mnemonic mnemonic-name level level command in global
configuration mode to configure the exact-match rule.
Run the logging filter rule single-match { level level | mnemonic mnemonic-name | module module-name } command in
global configuration mode to configure the single-match rule.
Working Principle
Level-based Logging
You can use the level-based logging function to send syslogs to different destinations based on different module and severity
level. For example, you can configure commands to send WLAN module logs of Level 4 or lower to the log server, and
WLAN module logs of Level 5 or higher to local log files.
Delayed Logging
6-13
Configuration Guide Configuring Syslog
After generated, logs are not directly sent to the log server, and instead they are buffered in the log file. The device sends the
log file to the syslog server through FTP at a certain interval. This function is called delayed logging.
If the device generates too many logs, sending all logs to the server in real time may deteriorate the performance of the
device and the syslog server, and increase the burden of the network. In this case, the delayed logging function can be used
to reduce the packet interaction.
By default, the log file sent to the remote server is named File size_Device IP address_Index.txt. If the prefix of the log file
name is modified, the log file sent to the remote server is named Configured file name prefix_File size_Device IP
address_Index.txt. The file stored on the local Flash of the device is named Configured file name prefix_Index.txt. By
default, the file name prefix is syslog_ftp_server, the delayed logging interval is 3600s (one hour), and the log file size is 128
KB.
The maximum value of the delayed logging interval is 65535s, that is, 18 hours. If you set the delayed logging interval to the
maximum value, the amount of logs generated in this period may exceed the file size (128 KB). To prevent loss of logs, logs
will be written into a new log file, and the index increases by 1. When the timer expires, all log files buffered in this period will
be sent to the FTP or TFTP server at a time.
The Flash on the device that is used to buffer the local log files is limited in size. A maximum of eight log files can be buffered
on the device. If the number of local log files exceeds eight before the timer expires, all log files that are generated earlier will
be sent to the FTP or TFTP server at a time.
Periodical Logging
Logs about performance statistics are periodically sent. All periodical logging timers are managed by the syslog module.
When the timer expires, the syslog module calls the log processing function registered with each module to output the
performance statistic logs and send logs in real time to the remote syslog server. The server analyzes these logs to evaluate
the device performance.
By default, the periodical logging interval is 15 minutes. To enable the server to collect all performance statistic logs at a time,
you need to set the log periodical logging intervals of different statistic objects to a common multiple of them. Currently, the
interval can be set to 0, 15, 30, 60, or 120. 0 indicates that periodical logging is disabled.
Related Configuration
Run the logging policy module module-name [ not-lesser-than ] level direction { all | server | file | console | monitor |
buffer } command in global configuration mode to configure the level-based logging policy.
By default, delayed display of logs on the Console and remote terminal is disabled.
Run the logging delay-send terminal command in global configuration mode to enable delayed display of logs on the
Console and remote terminal.
6-14
Configuration Guide Configuring Syslog
By default, the log file sent to the remote server is named File size_Device IP address_Index.txt. If the prefix of the log file
name is modified, the log file sent to the remote server is named Configured file name prefix_File size_Device IP
address_Index.txt. The file stored on the local Flash of the device is named Configured file name prefix_Index.txt. The
default file name prefix is syslog_ftp_server.
Run the logging delay-send file flash:filename command in global configuration mode to configure the name of the log file
that is buffered on the local device.
Run the logging delay-send interval seconds command in global configuration mode to configure the delayed logging
interval.
Run the logging delay-send server { ip-address | ipv6 ipv6-address }mode { ftp user username password [ 0 | 7 ]
password | tftp } command in global configuration mode to configure the server address and delayed logging mode.
Run the logging statistic enable command in global configuration mode to enable periodical uploading of logs. After this
function is enabled, the system outputs a series of performance statistics at a certain interval so that the log server can
monitor the system performance.
By default, periodical display of logs on the Console and remote terminal is disabled.
Run the logging statistic terminal command in global configuration mode to enable periodical display of logs on the
Console and remote terminal.
Run the logging statistic mnemonic mnemonic interval minutes command in global configuration mode to configure the
periodical logging interval.
Working Principle
After logging of login/exit attempts is enabled, the system records the access attempts of users. The log contains user name
and source address.
6-15
Configuration Guide Configuring Syslog
After logging of operations is enabled, the system records changes in device configurations, The log contains user name,
source address, and operation.
Related Configuration
By default, a device does not generate logs when users access or exit the device.
Run the logging userinfo command in global configuration mode to enable logging of login/exit attempts. After this function
is enabled, the device displays logs when users access the devices through Telnet, SSH, or HTTP so that the administrator
can monitor the device connections.
By default, a device does not generate logs when users modify device configurations.
Run the logging userinfo command-log command in global configuration mode to enable logging of operations. After this
function is enabled, the system displays related logs to notify the administrator of configuration changes.
6.4 Configuration
Sending Syslogs to the (Optional) It is used to configure parameters for sending syslogs to the monitor terminal.
Monitor Terminal
terminal monitor Enables the monitor terminal to display logs.
6-16
Configuration Guide Configuring Syslog
(Optional) It is used to configure parameters for writing syslogs into the memory buffer.
Writing Syslogs into the
Configures parameters for writing syslogs
Memory Buffer
logging buffered [ buffer-size ] [ level ] into the memory buffer, including the buffer
size and log level.
(Optional) It is used to configure parameters for sending syslogs to the log server.
6-17
Configuration Guide Configuring Syslog
(Optional) It is used to configure logging policies to send the syslogs based on module
and severity level .
Configuring Level-based
Logging logging policy module module-name
Sends logs to different destinations by
[ not-lesser-than ] level direction { all |
module and severity level
server | file | console | monitor | buffer }
Synchronizing User Input (Optional) It is used to synchronize the user input with log output.
with Log Output
logging synchronous Synchronizes user input with log output.
6-18
Configuration Guide Configuring Syslog
Notes
If the device does not have the real time clock (RTC), which is used to record the system absolute time, the device uses
its startup time (uptime) as the syslog timestamp by default. If the device has the RTC, the device uses its absolute time
(datetime) as the syslog timestamp by default.
The log sequence number is a 6-digit integer. Each time a log is generated, the sequence number increases by one.
Each time the sequence number increases from 000000 to 1,000,000, or reaches 2^32, the sequence number starts
from 000000 again.
In the RFC5424 log format, the timestamp may or may not contain the time zone. Currently, only the timestamp without
the time zone is supported.
Configuration Steps
Unless otherwise specified, perform this configuration on the device to configure the timestamp format.
Unless otherwise specified, perform this configuration on the device to add the sysname to the syslog.
(Optional) By default, the syslog does not contain the sequence number.
Unless otherwise specified, perform this configuration on the device to add the sequence number to the syslog.
Unless otherwise specified, perform this configuration on the device to enable the standard log format.
6-19
Configuration Guide Configuring Syslog
Unless otherwise specified, perform this configuration on the device to enable the private log format.
Unless otherwise specified, perform this configuration on the device to enable the RFC5424 log format.
Verification
Related Commands
6-20
Configuration Guide Configuring Syslog
If the standard syslog format is enabled, logs are displayed in the following format:
Compared with the default format, an asterisk (*) is missing in front of the timestamp, and a colon (:) is
missing at the end of the timestamp in the standard log format.
If the private syslog format is enabled, logs are displayed in the following format:
Compared with the default format, an asterisk (*) is missing in front of the timestamp, a colon (:) is missing at
the end of the timestamp, and a percent sign (%) is missing in front of the module name in the private log
format.
After the old format (RFC3164 log format) is enabled, the logging delay-send, logging policy, and
6-21
Configuration Guide Configuring Syslog
logging statistic commands that are applicable only to the RFC5424 log format loss effect and are hidden.
After log format switchover, the outputs of the show logging and show logging config commands change
accordingly.
Configuration Example
Verification After the timestamp format is configured, verify that new syslogs are displayed in the RFC3164 format.
Run the show logging config command to display the configuration.
Enter or exit global configuration mode to generate a new log, and check the format of the timestamp in
the new log.
Ruijie(config)#exit
001302: *Jun 14 2013 19:01:40.293: Ruijie %SYS-5-CONFIG_I: Configured from console by admin on
console
Standard format:false
6-22
Configuration Guide Configuring Syslog
Verification Verify that new syslogs are displayed in the RFC5424 format.
Run the show logging config command to display the configuration.
Enter or exit global configuration mode to generate a new log, and check the format of the new log.
Ruijie(config)#exit
Delay-send file name:syslog_ftp_server, Current write index:3, Current send index:3, Cycle:10
seconds
logging to 192.168.23.89
logging to 2000::1
6-23
Configuration Guide Configuring Syslog
Send syslogs to the Console to facilitate the administrator to monitor the performance of the system.
Notes
If too many syslogs are generated, you can limit the log rate to reduce the number of logs displayed on the Console.
Configuration Steps
Enabling Logging
Unless otherwise specified, perform this configuration on the device to enable log statistics.
(Optional) By default, the level of logs displayed on the Console is debugging (Level 7).
Unless otherwise specified, perform this configuration on the device to configure the level of logs displayed on the
Console.
Unless otherwise specified, perform this configuration on the device to limit the log rate.
Verification
Run the show logging config command to display the level of logs displayed on the Console.
Related Commands
Enabling Logging
Command logging on
Parameter N/A
Description
Command Global configuration mode
Mode
Configuration By default, logging is enabled. Do not disable logging in general cases. If too many syslogs are generated,
Usage you can configure log levels to reduce the number of logs.
6-24
Configuration Guide Configuring Syslog
Command logging rate-limit { number | all number | console {number | all number } } [ except [ severity ] ]
Parameter number: Indicates the maximum number of logs processed per second. The value ranges from 1 to 10,000.
Description all: Indicates that rate limit is applied to all logs ranging from Level 0 to Level 7.
console: Indicates the number of logs displayed on the Console per second.
except severity: Rate limit is not applied to logs with a level equaling to or lower than the specified severity
level. By default, the severity level is error (Level 3), that is, rate limit is not applied to logs of Level 3 or
lower.
Command Global configuration mode
Mode
Configuration By default, no rate limit is configured.
Usage
Configuration Example
Scenario It is required to configure the function of displaying syslogs on the Console as follows:
1. Enable log statistics.
2. Set the level of logs that can be displayed on the Console to informational (Level 6).
3. Set the log rate limit to 50.
Configuration Configure parameters for displaying syslogs on the Console.
Steps
6-25
Configuration Guide Configuring Syslog
Verification Run the show logging config command to display the configuration.
Standard format:false
Send syslogs to a remote monitor terminal to facilitate the administrator to monitor the performance of the system.
Notes
If too many syslogs are generated, you can limit the log rate to reduce the number of logs displayed on the monitor
terminal.
By default, the current monitor terminal is not allowed to display logs after you access the device remotely. You need to
manually run the terminal monitor command to allow the current monitor terminal to display logs.
Configuration Steps
6-26
Configuration Guide Configuring Syslog
Unless otherwise specified, perform this operation on every monitor terminal connected to the device.
(Optional) By default, the level of logs displayed on the monitor terminal is debugging (Level 7).
Unless otherwise specified, perform this configuration on the device to configure the level of logs displayed on the
monitor terminal.
Verification
Run the show logging config command to display the level of logs displayed on the monitor terminal.
Related Commands
Configuration Example
Scenario It is required to configure the function of displaying syslogs on the monitor terminal as follows:
1. Display logs on the monitor terminal.
2. Set the level of logs that can be displayed on the monitor terminal to informational (Level 6).
Configuration Configure parameters for displaying syslogs on the monitor terminal.
Steps
6-27
Configuration Guide Configuring Syslog
Ruijie(config-line)# monitor
Verification Run the show logging config command to display the configuration.
Standard format:false
Common Errors
To disable this function, run the terminal no monitor command, instead of the no terminal monitor command.
Write syslogs into the memory buffer so that the administrator can view recent syslogs by running the show logging
command.
Notes
If the buffer is full, old logs will be overwritten by new logs that are written into the memory buffer.
Configuration Steps
6-28
Configuration Guide Configuring Syslog
(Optional) By default, the system writes logs into the memory buffer, and the default level of logs is debugging (Level 7).
Unless otherwise specified, perform this configuration on the device to write logs into the memory buffer.
Verification
Run the show logging config command to display the level of logs written into the memory buffer.
Run the show logging command to display the level of logs written into the memory buffer.
Related Commands
Configuration Example
Scenario It is required to configure the function of writing syslogs into the memory buffer as follows:
1. Set the log buffer size to 128 KB (131,072 bytes).
2. Set the information level of logs that can be written into the memory buffer to informational (Level 6).
Configuration Configure parameters for writing syslogs into the memory buffer.
Steps
Verification Run the show logging config command to display the configuration and recent syslogs.
Ruijie#show logging
6-29
Configuration Guide Configuring Syslog
Scenario It is required to configure the function of writing syslogs into the memory buffer as follows:
1. Set the log buffer size to 128 KB (131,072 bytes).
2. Set the information level of logs that can be written into the memory buffer to informational (Level 6).
Configuration Configure parameters for writing syslogs into the memory buffer.
Steps
Verification Run the show logging config command to display the configuration and recent syslogs.
Standard format:false
001301: *Jun 14 2013 19:01:09.488: Ruijie %SYS-5-CONFIG_I: Configured from console by admin on
console
001302: *Jun 14 2013 19:01:40.293: Ruijie %SYS-5-CONFIG_I: Configured from console by admin on
console
//Logs displayed are subject to the actual output of the show logging command.
Send syslogs to the log server to facilitate the administrator to monitor logs on the server.
Notes
To send logs to the log server, you must add the timestamp and sequence number to logs. Otherwise, the logs are not
sent to the log server.
Configuration Steps
6-30
Configuration Guide Configuring Syslog
(Optional) By default, the level of logs sent to the log server is informational (Level 6).
Unless otherwise specified, perform this configuration on the device to configure the level of logs sent to the log server.
(Optional) If the RFC5424 format is disabled, the facility value of logs sent to the log server is local7 (23) by default. If
the RFC5424 format is enabled, the facility value of logs sent to the log server is local0 (16) by default.
Unless otherwise specified, perform this configuration on the device to configure the facility value of logs sent to the log
server.
(Optional) By default, the source interface of logs sent to the log server is the interface sending the logs.
Unless otherwise specified, perform this configuration on the device to configure the source interface of logs sent to the
log server.
(Optional) By default, the source address of logs sent to the log server is the IP address of the interface sending the
logs.
Unless otherwise specified, perform this configuration on the device to configure the source address of logs sent to the
log server.
Verification
Run the show logging config command to display the configurations related to the log server.
Related Commands
6-31
Configuration Guide Configuring Syslog
6-32
Configuration Guide Configuring Syslog
Configuration Example
Scenario It is required to configure the function of sending syslogs to the log server as follows:
1. Set the IPv4 address of the log server to 10.1.1.100.
2. Set the level of logs that can be sent to the log server to debugging (Level 7).
3. Set the source interface to Loopback 0.
Configuration Configure parameters for sending syslogs to the log server.
Steps
Verification Run the show logging config command to display the configuration.
Standard format:false
logging to 10.1.1.100
Write syslogs into log files at the specified interval so that the administrator can view history logs anytime on the local
device.
6-33
Configuration Guide Configuring Syslog
Notes
Sylsogs are not immediately written into log files. They are first buffered in the memory buffer, and then written into log
files either periodically (at the interval of one hour by default) or when the buffer is full.
Configuration Steps
Unless otherwise specified, perform this configuration on the device to configure the number of files which logs are
written into.
Configuring the Interval at Which Logs Are Written into Log Files
Unless otherwise specified, perform this configuration on the device to configure the interval at which logs are written
into log files.
Unless otherwise specified, perform this configuration on the device to configure the storage time of log files.
(Optional) By default, syslogs are stored in the buffer and then written into log files periodically or when the buffer is full.
Unless otherwise specified, perform this configuration to write logs in the buffer into log files immediately. This
command takes effect only once after it is configured.
Verification
Run the show logging config command to display the configurations related to the log server.
Related Commands
6-34
Configuration Guide Configuring Syslog
Configuring the Interval at Which Logs Are Written into Log Files
6-35
Configuration Guide Configuring Syslog
The logging flash flush command takes effect once after it is configured. That is, after this command
is configured, logs in the buffer are immediately written to log files.
Configuration Example
Scenario It is required to configure the function of writing syslogs into log files as follows:
1. Set the log file name to syslog.
2. Set the level of logs sent to the Console to debugging (Level 7).
3. Set the interval at which device logs are written into files to 10 minutes (600s).
Configuration Configure parameters for writing syslogs into log files.
Steps
Verification Run the show logging config command to display the configuration.
6-36
Configuration Guide Configuring Syslog
Scenario It is required to configure the function of writing syslogs into log files as follows:
1. Set the log file name to syslog.
2. Set the level of logs sent to the Console to debugging (Level 7).
3. Set the interval at which device logs are written into files to 10 minutes (600s).
Configuration Configure parameters for writing syslogs into log files.
Steps
Verification Run the show logging config command to display the configuration.
Syslog logging: enabled
Standard format:false
logging to 10.1.1.100
Filter out a specified type of syslogs if the administrator does not want to display these syslogs.
By default, logs generated by all modules are displayed on the Console or other terminals. You can configure log
filtering rules to display only desired logs.
Notes
Two filtering modes are available: contains-only and filter-only. You can configure only one filtering mode at a time.
6-37
Configuration Guide Configuring Syslog
If the same module, level, or mnemonic is configured in both the single-match and exact-match rules, the single-match
rule prevails over the exact-match rule.
Configuration Steps
(Optional) By default, the filtering direction is all, that is, all logs are filtered out.
Unless otherwise specified, perform this configuration on the device to configure the log filtering direction.
Unless otherwise specified, perform this configuration on the device to configure the log filtering mode.
Unless otherwise specified, perform this configuration on the device to configure the log filtering rule.
Verification
Related Commands
6-38
Configuration Guide Configuring Syslog
Configuration Log filtering modes include contains-only and filter-only. The default filtering mode is filter-only.
Usage
Command logging filter rule { exact-match module module-name mnemonic mnemonic-name level level |
single-match { level level | mnemonic mnemonic-name | module module-name } }
Parameter exact-match: If exact-match is selected, you must specify all three filtering options.
Description single-match: If single-match is selected, you may specify only one of the three filtering options.
module module-name: Indicates the module name. Logs of this module will be filtered out.
mnemonic mnemonic-name: Indicates the mnemonic. Logs with this mnemonic will be filtered out.
level level: Indicates the log level. Logs of this level will be filtered out.
Command Global configuration mode
Mode
Configuration Log filtering rules include exact-match and single-match.
Usage The no logging filter rule exact-match [ module module-name mnemonic mnemonic-name level level ]
command is used to delete the exact-match filtering rules. You can delete all exact-match filtering rules at a
time or one by one.
The no logging filter rule single-match [ level level | mnemonic mnemonic-name | module
module-name ] command is used to delete the single-match filtering rules. You can delete all single-match
filtering rules at a time or one by one.
Configuration Example
Verification Run the show running-config | include loggging command to display the configuration.
Enter and exit global configuration mode, and verify that the system displays logs accordingly.
Ruijie#configure
6-39
Configuration Guide Configuring Syslog
Verification Run the show running-config | include loggging command to display the configuration.
Enter and exit global configuration mode, and verify that the system displays logs accordingly.
Enter configuration commands, one per line. End with CNTL/Z.
Ruijie(config)#exit
Ruijie#
You can use the level-based logging function to send syslogs to different destinations based on different module and
severity level. For example, you can configure a command to send WLAN module logs of Level 4 or lower to the log
server, and WLAN module logs of Level 5 or higher to local log files.
Notes
Level-based logging takes effect only when the RFC5424 format is enabled.
Configuration Steps
Unless otherwise specified, perform this configuration on the device to configure logging polices to send syslogs to
different destinations based on module and severity level.
6-40
Configuration Guide Configuring Syslog
Verification
Related Commands
Command logging policy module module-name [ not-lesser-than ] level direction { all | server | file | console |
monitor | buffer }
Parameter module-name: Indicates the name of the module to which the logging policy is applied.
Description not-lesser-than: If this option is specified, logs of the specified level or higher will be sent to the specified
destination, and other logs will be filtered out. If this option is not specified, logs of the specified level or
lower will be sent to the specified destination, and other logs will be filtered out.
level: Indicates the level of logs for which the logging policy is configured.
all: Indicates that the logging policy is applied to all logs.
server: Indicates that the logging policy is applied only to logs sent to the log server.
file: Indicates that the logging policy is applied only to logs written into log files.
console: Indicates that the logging policy is applied only to logs sent to the Console.
monitor: Indicates that the logging policy is applied only to logs sent to a remote terminal.
buffer: Indicates that the logging policy is applied only to logs stored in the buffer.
Command Global configuration mode
Mode
Configuration This command is used to configure logging polices to send syslogs to different destinations based on
Usage module and severity level.
Configuration Example
Verification Run the show running-config | include logging policy command to display the configuration.
Exit and enter global configuration mode to generate a log containing module name “SYS”. Verify that
the log is sent to the destination as configured.
6-41
Configuration Guide Configuring Syslog
Verification Run the show running-config | include logging policy command to display the configuration.
Exit and enter global configuration mode to generate a log containing module name “SYS”. Verify that
the log is sent to the destination as configured.
logging policy module SYS not-lesser-than 5 direction console
By default, delayed logging is enabled by default at the interval of 3600s (one hour). The name of the log file sent to the
remote server is File size_Device IP address_Index.txt. Logs are not sent to the Console or remote terminal.
You can configure the interval based on the frequency that the device generates logs for delayed uploading. This can
reduce the burden on the device, syslog server, and network. In addition, you can configure the name of the log file as
required.
Notes
This function takes effect only when the RFC5424 format is enabled.
It is recommended to disable the delayed display of logs on the Console and remote terminal. Otherwise, a large
amount of logs will be displayed, increasing the burden on the device.
The file name cannot contain any dot (.) because the system automatically adds the index and the file name extension
(.txt) to the file name when generating a locally buffered file. The index increases each time a new file is generated. In
addition, the file name cannot contain characters prohibited by your file system, such as \, /, :, *, ", <, >, and |. For
example, the file name is log_server, the current file index is 5, the file size is 1000 bytes, and the source IP address is
10.2.3.5.The name of the log file sent to the remote server is log_server_1000_10.2.3.5_5.txt while the name of the
log file stored on the device is log_server_5.txt. If the source IP address is an IPv6 address, the colon (:) in the IPv6
address must be replaced by the hyphen (-) because the colon (:) is prohibited by the file system. For example, the file
name is log_server, the current file index is 6, the file size is 1000 bytes, and the source IPv6 address is 2001::1. The
name of the log file sent to the remote server is log_server_1000_2001-1_6.txt while the name of the log file stored on
the device is log_server_6.txt.
6-42
Configuration Guide Configuring Syslog
If few logs are generated, you can set the interval to a large value so that many logs can be sent to the remote server at
a time.
Configuration Steps
(Optional) By default, delayed display of logs on the Console and remote terminal is disabled.
Unless otherwise specified, perform this configuration on the device to enable delayed display of logs on the Console
and remote terminal.
(Optional) By default, the name of the file for delayed logging is File size_Device IP address_Index.txt.
Unless otherwise specified, perform this configuration on the device to configure the name of the file for delayed
logging.
Unless otherwise specified, perform this configuration on the device to configure the delayed logging interval.
(Optional) By default, log files are not sent to any remote server.
Unless otherwise specified, perform this configuration on the device to configure the server address and delayed
logging mode
Verification
Related Commands
6-43
Configuration Guide Configuring Syslog
Parameter flash:filename: Indicates the name of the file on the local device where logs are buffered.
Description
Command Global configuration mode
Mode
Configuration This command is used to configure the name of the file on the local device where logs are buffered.
Usage
The file name cannot contain any dot (.) because the system automatically adds the index and the file name
extension (.txt) to the file name when generating a locally buffered file. The index increases each time a new
file is generated. In addition, the file name cannot contain characters prohibited by your file system, such as
\, /, :, *, ", <, >, and |.
For example, the configured file name is log_server, the current file index is 5, the file size is 1000 bytes, and
the source IP address is 10.2.3.5. The name of the log file sent to the remote server is
log_server_1000_10.2.3.5_5.txt while the name of the log file stored on the device is log_server_5.txt.
If the source IP address is an IPv6 address, the colon (:) in the IPv6 address must be replaced by the
hyphen (-) because the colon (:) is prohibited by the file system.
For example, the file name is log_server, the current file index is 6, the file size is 1000 bytes, and the source
IPv6 address is 2001::1. The name of the log file sent to the remote server is
log_server_1000_2001-1_6.txt while the name of the log file stored on the device is log_server_6.txt.
Command logging delay-send server { ip-address | ipv6 ipv6-address } mode { ftp user username password [ 0 | 7 ]
password | tftp }
Parameter ip-address: Indicates the IP address of the server that receives logs.
Description ipv6 ipv6-address: Indicates the IPv6 address of the server that receives logs.
username: Specifies the user name of the FTP server.
password: Specifies the password of the FTP server.
0: (Optional) Indicates that the following password is in plain text.
7: Indicates that the following password is encrypted.
Command Global configuration mode
Mode
Configuration This command is used to specify an FTP or a TFTP server for receiving the device logs. You can configure a
6-44
Configuration Guide Configuring Syslog
Usage total of five FTP or TFTP servers, but a server cannot be both an FTP and TFTP server.. Logs will be
simultaneously sent to all FTP or TFTP servers.
Configuration Example
Ruijie(config)# logging delay-send server 192.168.23.12 mode ftp user admin password admin
Verification Run the show running-config | include logging delay-send command to display the configuration.
Verify that logs are sent to the remote FTP server after the timer expires.
logging delay-send server 192.168.23.12 mode ftp user admin password admin
By default, periodical logging is disabled. Periodical logging interval is 15 minutes. Periodical display of logs on the
Console and remote terminal are disabled.
You can modify the periodical logging interval. The server will collect all performance statistic logs at the time point that
is the least common multiple of the intervals of all statistic objects.
Notes
Periodical logging takes effect only when the RFC5424 format is enabled.
6-45
Configuration Guide Configuring Syslog
The settings of the periodical logging interval and the function of displaying logs on the Console and remote terminal
take effect only when the periodical logging function is enabled.
It is recommended to disable periodical display of logs on the Console and remote terminal. Otherwise, a large amount
of performance statistic logs will be displayed, increasing the burden on the device.
To ensure the server can collect all performance statistic logs at the same time point, the timer will be restarted when
you modify the periodical logging interval of a statistic object.
Configuration Steps
Unless otherwise specified, perform this configuration on the device to enable periodical logging.
(Optional) By default, periodical display of logs on the Console and remote terminal is disabled.
Unless otherwise specified, perform this configuration on the device to enable periodical display of logs on the Console
and remote terminal.
Unless otherwise specified, perform this configuration on the device to configure the interval at which logs of statistic
objects are sent to the server.
Verification
Related Commands
6-46
Configuration Guide Configuring Syslog
Parameter N/A
Description
Command Global configuration mode
Mode
Configuration N/A
Usage
Configuration Example
Verification Run the show running-config | include logging statistic command to display the configuration.
After the periodical logging timer expires, verify that logs of all performance statistic objects are
generated at the time point that is the least common multiple of the intervals of all statistic objects.
6-47
Configuration Guide Configuring Syslog
On the VSU, logs on the secondary or standby device are displayed on its Console window, and redirected to the active
device for display on the Console or VTY window, or stored in the memory buffer, extended flash, or syslog server.
On a box-type VSU, after the log redirection function is enabled, logs on the secondary or standby device will be
redirected to the active device, and the role flag (*device ID) will be added to each log to indicate that the log is
redirected. Assume that four devices form a VSU. The ID of the active device is 1, the ID of the secondary device is 2,
and the IDs of two standby devices are 3 and 4. The role flag is not added to logs generated by the active device. The
role flag (*2) is added to logs redirected from the secondary device to the active device. The role flags (*3) and (*4) are
added respectively to logs redirected from the two standby devices to the active device.
On a card-type VSU, after the log redirection function is enabled, logs on the secondary or standby supervisor module
will be redirected to the active supervisor module, and the role flag "(device ID/supervisor module name) will be added
to each log to indicate that the log is redirected. If four supervisor modules form a VSU, the role flags are listed as
follows: (*1/M1), (*1/M2), (*2/M1), and (*2/M2).
Notes
You can limit the rate of logs redirected to the active device to prevent generating a large amount of logs on the
secondary or standby device.
Configuration Steps
Unless otherwise specified, perform this configuration on the active device of VSU or active supervisor module.
(Optional) By default, a maximum of 200 logs can be redirected from the standby device to the active device of VSU per
second.
Unless otherwise specified, perform this configuration on the active device of VSU or active supervisor module.
Verification
Related Commands
Command logging rd on
Parameter N/A
6-48
Configuration Guide Configuring Syslog
Description
Command Global configuration mode
Mode
Configuration By default, log redirection is enabled on the VSU.
Usage
Configuration Example
Scenario It is required to configure the syslog redirection function on the VSU as follows:
1. Enable the log redirection function.
2.Set the maximum number of logs with a level higher than critical (Level 2) that can be redirected per
second to 100.
Configuration Configure the syslog redirection function.
Steps
Ruijie(config)# logging rd on
Verification Run the show running-config | include logging command to display the configuration.
Generate a log on the standby device, and verify that the log is redirected to and displayed on the
active device.
6-49
Configuration Guide Configuring Syslog
Record login/exit attempts. After logging of login/exit attempts is enabled, the related logs are displayed on the device
when users access the device through Telnet or SSH. This helps the administrator monitor the device connections.
Record modification of device configurations. After logging of operations is enabled, the related logs are displayed on
the device when users modify the device configurations. This helps the administrator monitor the changes in device
configurations.
Notes
If both the logging userinfo command and the logging userinfo command-log command are configured on the
device, only the configuration result of the logging userinfo command-log command is displayed when you run the
show running-config command.
Configuration Steps
Unless otherwise specified, perform this configuration on every line of the device to enable logging of login/exit
attempts.
Unless otherwise specified, perform this configuration on every line of the device to enable logging of operations.
Verification
Related Commands
6-50
Configuration Guide Configuring Syslog
Parameter N/A
Description
Command Global configuration mode
Mode
Configuration The system generates related logs when users run configuration commands. By default, a device does not
Usage generate logs when users modify device configurations.
Configuration Example
Verification Run the show running-config | include logging command to display the configuration.
Run a command in global configuration mode, and verify that the system generates a log.
Ruijie#configure terminal
By default, the user input is not synchronized with the log output. After this function is enabled, the content input during
log output is displayed after log output is completed, ensuring integrity and continuity of the input.
Notes
This command is executed in line configuration mode. You need to configure this command on every line as required.
6-51
Configuration Guide Configuring Syslog
Configuration Steps
Unless otherwise specified, perform this configuration on every line to synchronize user input with log output.
Verification
Related Commands
Configuration Example
Scenario It is required to synchronize the user input with log output as follows:
1. Enable the synchronization function.
Configuration Configure the synchronization function.
Steps
Verification Run the show running-config | begin line command to display the configuration.
line con 0
logging synchronous
login local
As shown in the following output, when a user types in "vlan", the state of interface 0/1 changes and the
related log is output. After log output is completed, the log module automatically displays the user input
"vlan" so that the user can continue typing.
6-52
Configuration Guide Configuring Syslog
Ruijie(config)#vlan
*Aug 20 10:05:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet 0/1, changed state
to up
Ruijie(config)#vlan
6.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears logs in the memory buffer. clear logging
Displaying
Description Command
Displays log statistics and logs in the memory buffer based on
show logging
the timestamp from oldest to latest.
Displays log statistics and logs in the memory buffer based on
show logging reverse
the timestamp from latest to oldest.
Displays syslog configurations and statistics. show logging config
Displays log statistics of each module in the system. show logging count
6-53
Configuration Guide Configuring CWMP
7 Configuring CWMP
7.1 Overview
CPE WAN Management Protocol (CWMP) provides a general framework of unified device management, related message
specifications, management methods, and data models, so as to solve difficulties in unified management and maintenance of
dispersed customer-premises equipment (CPEs), improve troubleshooting efficiency, and save O&M costs.
Auto configuration and dynamic service provisioning. CWMP allows an Auto-Configuration Server (ACS) to
automatically provision CPEs who initially access the network after start. The ACS can also dynamically re-configure
running CPEs.
Firmware management. CWMP manages and upgrades the firmware and its files of CPEs.
Software module management. CWMP manages modular software according to data models implemented.
Status and performance monitoring. CWMP enables CPEs to notify the ACE of its status and changes, achieving
real-time status and performance monitoring.
Diagnostics. The ACE diagnoses or resolves connectivity or service problems based on information from CPEs, and
can also perform defined diagnosis tests.
7.2 Applications
7-1
Configuration Guide Configuring CWMP
The major components of a CWMP network architecture are CPEs, an ACS, a management center, a DHCP server, and a
Domain Name System (DNS) server. The management center manages a population of CPEs by controlling the ACS on a
Web browser.
Figure 7-1
Note If the Uniform Resource Locator (URL) of the ACS is configured on CPEs, the DHCP server is optional. If
not, the DHCP is required to dynamically discover the ACS URL.
If the URLs of the ACS and CPEs contain IP addresses only, the DNS server is optional. If their URLs
contain domain names, the DNS server is required to resolves the names.
Functional Deployment
7.3 Features
Basic Concept
Major Terminologies
7-2
Configuration Guide Configuring CWMP
Protocol Stack
As shown in Figure 7-2, CWMP defines six layers with respective functions as follows:
ACS/CPE Application
The application layer is not a part of CWMP. It is the development performed by various modules of the CPEs/ACS to
support CWMP, just like the Simple Network Management Protocol (SNMP), which does not cover the MIB management of
functional modules.
RPC Methods
This layer provides various RPC methods for interactions between the ACS and the CPEs.
SOAP
The Simple Object Access Protocol (SOAP) layer uses a XML-based syntax to encode and decode CWMP messages.. Thus,
CWMP messages must comply with the XML-based syntax.
HTTP
All CWMP messages are transmitted over Hypertext Transfer Protocol (HTTP). Both the ACS and the CPEs can behave in
the role of HTTP clients and servers. The server function is used to monitor reverse connections from the peer.
SSL/TLS
The Secure Sockets Layer (SSL) or Transport Layer Security (TLS) layer guarantees CWMP security, including data integrity,
confidentiality, and authentication.
TCP/IP
This layer is the (Transmission Control Protocol/Internet Protocol (TCP/IP) protocol stack.
RPC Methods
The ACS manages and monitors CPEs by calling mostly the following RPC methods:
7-3
Configuration Guide Configuring CWMP
The Get methods enable the ACS to remotely obtain the set of RPC methods, as well as names, values and attributes of the
DM parameters supported on CPEs.
The Set methods enable the ACS to remotely set the values and attributes of the DM parameters supported on CPEs.
The Inform methods enable CPEs to inform the ACS of their device identifiers, parameter information, and events whenever
sessions are established between them.
The Download method enables the ACS to remotely control the file download of CPEs, including firmware management,
upgrade, and Web package upgrade.
The Upload method enables the ACS to remotely control the file upload of CPEs, including upload of firmware and logs.
The Reboot method enables the ACS to remotely reboot the CPEs.
Session Management
CWMP sessions or interactions are the basis for CWMP. All CWMP interactions between the ACS and CPEs rely on their
sessions. CWMP helps initiate and maintain ACS-CPE sessions to link them up for effective management and monitoring.
An ACS-CPE session is a TCP connection, which starts from the Inform negotiation to TCP disconnection. The session is
classified into CPE Initiated Session and ACS Initiated Session according to the session poster.
DM Management
CWMP operates based on CWMP Data Model (DM). CWMP manages all functional modules by a set of operations
performed on DM. Each functional module registers and implements a respective data model, just like the MIBs implemented
by various functional modules of SNMP.
A CWMP data model is represented in the form of a character string. For a clear hierarchy of the data model, a dot (.) is used
as a delimiter to distinguish an upper-level data model node from a lower-level data model node. For instance, in the data
model InternetGatewayDevice.LANDevice, InternetGatewayDevice is the parent data model node of LANDevice, and
LANDevice is the child data model node of InternetGatewayDevice.
DM nodes are classified into two types: object nodes and parameter nodes. The parameter nodes are also known as leaf
nodes. An object node is a node under which there are child nodes, and a parameter node is a leaf node under which there is
no any child node. Object nodes are further classified into single-instance object nodes and multi-instance object nodes. A
single-instance object node is an object node for which there is only one instance, whereas a multi-instance object node is an
object node for which there are multiple instances.
A data model node has two attributes. One attribute relates to a notification function; that is, whether to inform the ACS of
changes (other than changes caused by CWMP) to parameter values of the data model. The other attribute is an identifier
indicating that the parameters of the data model node can be written using other management modes (than the ACS); that is,
7-4
Configuration Guide Configuring CWMP
whether the values of the parameters can be modified using other management modes such as Telnet. The ACS can modify
the attributes of the data models using RPC methods.
Event Management
When some events concerned by the ACS occur on the CPE, the CPE will inform the ACS of these events. The ACS
monitors these events to monitor the working status of the CPE. The CWMP events are just like Trap messages of SNMP or
product logs. Using RPC methods, to the ACS filters out the unconcerned types of events. CWMP events are classified into
two types: single or (not cumulative) events and multiple (cumulative) events. A single event means that there is no
quantitative change to the same event upon re-occurrence of the event, with the old discarded and the newest kept. A
multiple event means that the old are not discarded and the newest event is kept as a complete event when an event
re-occurs for multiple times later; that is, the number of this event is incremented by 1.
All events that occur on the CPE are notified to the ACS using the INFORM method.
Features
Feature Description
Upgrading the The ACS controls the upgrade of the firmware of a CPE using the Download method.
Firmware
Upgrading the The ACS controls the upgrade of the configuration files of a CPE using the Download method.
Configuration Files
Uploading the The ACS controls the upload of the configuration files of a CPE using the Upload method.
Configuration Files
Backing up and When a CPE breaks away from the management center, this feature can remotely restore the CPE to
Restoring a CPE the previous status.
Working Principle
Figure 7-3
7-5
Configuration Guide Configuring CWMP
Users specify a CPE for the ACS to deliver the Download method for upgrading the firmware. The CPE receives the request
and starts to download the latest firmware from the destination file server, upgrade the firmware, and then reboot. After
restart, the CPE will indicate the successful or unsuccessful completion of the method application.
Working Principle
Figure 7-4
7-6
Configuration Guide Configuring CWMP
Users specify a CPE for the ACS to deliver the Download methods for upgrading its configuration files. The CPE downloads
the configuration files from the specified file server, upgrade configuration files, and then reboot. After that, the CPE will
indicate successful or unsuccessful completion of the method application.
Working Principle
Figure 7-5
7-7
Configuration Guide Configuring CWMP
When a CPE initially accesses the ACS, the ACS attempts to learn the configuration files of the CPE in the following
sequence:
When the ACS initially receives an Inform message from the CPE, it locates the corresponding database information
according to device information carried in the message.
If the database does not contain the configuration files of the CPE, the ACS delivers the Upload method to the CPE for
uploading the configuration files.
7-8
Configuration Guide Configuring CWMP
Working Principle
You can configure the restoration function on a CPE, so that the CPE can restore itself from exceptions of its firmware or
configuration files. Then when the CPE fails to connect to the ACS and breaks away from the management center after its
firmware or configuration files are upgraded, the previous firmware or configuration files of the CPE can be restored in time
for the ACS to manage the CPE. This kind of exception is generally caused by delivery of a wrong version or configuration
file.
Before the CPE receives a new firmware or configuration files to upgrade, the CPE will back up its current version and
configuration files. In addition, there is a mechanism for determining whether the problem described in the preceding
scenario has occurred. If the problem has occurred, the CPE is restored to the previous manageable status.
7.4 Configuration
(Mandatory) You can configure the ACS or CPE usernames and passwords to be
authenticated for CWMP connection.
(Optional)You can configure the URLs of the CPE and the ACS.
(Optional) You can configure the basic functions of the CPE, such as upload,
backup and restoration of firmware, configuration files or logs.
7-9
Configuration Guide Configuring CWMP
Precautions
N/A
Configuration Method
Command cwmp
Parameter N/A
Description
Defaults CWMP is enabled by default.
Command Global configuration guide
Mode
Usage Guide N/A
Only one username can be configured for the ACS. If multiple are configured, the latest configuration is applied.
7-10
Configuration Guide Configuring CWMP
The password of the ACS can be in plaintext or encrypted form. Only one password can be configured for the ACS. If
multiple are configured, the latest configuration is applied.
Only one username can be configured for the CPE. If multiple are configured, the latest configuration is applied.
The password of the CPE can be in plaintext or encrypted form. Only one password can be configured for the CPE. If
multiple are configured, the latest configuration is applied.
7-11
Configuration Guide Configuring CWMP
Only one ACS URL can be configured. If multiple are configured, the latest configuration is applied. The ACS URL must
be in HTTP format.
Only one CPE URL can be configured. If multiple are configured, the latest configuration is applied. The CPE URL must
be in HTTP format instead of domain name format.
Verification
7-12
Configuration Guide Configuring CWMP
Configuration Examples
Network
Environment
Figure 7-6
7-13
Configuration Guide Configuring CWMP
Ruijie(config)# cwmp
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE
Ruijie # show cwmp configuration
Ruijie(config)# cwmp
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE
Ruijie #show cwmp configuration
7-14
Configuration Guide Configuring CWMP
Ruijie(config)# cwmp
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE URL : http://10.10.10.2:7547/
Common Errors
The user-input encrypted password is longer than 254 characters, or the length of the password is not an even number.
The user-input encrypted password contains illegal characters (the legitimate characters includes only 0~9, a~f and
A~F)
You can configure common functions of the CPE, such as the backup and restoration of its firmware or configuration file,
whether to enable the CPE to download firmware and configuration files from the ACS, and whether to enable the CPE
to upload its configuration and log files to the ACS.
Configuration Method
(Optional) The value range is from 30 to 3,600 in seconds. The default value is 600 seconds.
Perform this configuration to reset the periodical notification interval of the CPE.
7-15
Configuration Guide Configuring CWMP
Disabling the Function of Downloading Firmware and Configuration Files from the ACS
(Optional) The CPE can download firmware and configuration files from the ACS by default.
Perform this configuration if the CPE does not need to download firmware and configuration files from the ACS.
Disabling the Function of Uploading Configuration and Log Files to the ACS
(Optional.) The CPE can upload configuration and log files to the ACS by default.
Perform this configuration if the CPE does not need to upload configuration and log files to the ACS.
Configuring the Backup and Restoration of the Firmware and Configuration Files of the CPE
(Optional) The backup and restoration of the firmware and configuration files of the CPE is enabled by default. The
value range is from 30 to 10,000 in seconds. The default value is 60 seconds.
7-16
Configuration Guide Configuring CWMP
The longer the delay-time is, the longer the reboot will be complete.
Perform this configuration to modify the function of backing up and restoring the firmware and configuration files of the
CPE.
(Optional) The value range is from 10 to 600 in seconds. The default value is 30 seconds.
Perform this configuration to modify the ACS response timeout period on the CPE.
Verification
7-17
Configuration Guide Configuring CWMP
Configuration Examples
Ruijie(config)#cwmp
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE
Ruijie #show cwmp configuration
……
Disabling the Function of Downloading Firmware and Configuration Files from the ACS
7-18
Configuration Guide Configuring CWMP
CPE
Ruijie#config
Ruijie(config)#cwmp
Ruijie(config-cwmp)#disable download
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE
Ruijie #show cwmp configuration
……
Disabling the Function of Uploading Configuration and Log Files to the ACS
Ruijie(config)#cwmp
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE
Ruijie #show cwmp configuration
……
7-19
Configuration Guide Configuring CWMP
CPE
Ruijie#config
Ruijie(config)#cwmp
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE
Ruijie #show cwmp configuration
……
Ruijie(config)# cwmp
Verification Run the show command on the CPE to check whether the configuration commands have been
successfully applied.
CPE
Ruijie#show cwmp configuration
……
Common Errors
N/A
7-20
Configuration Guide Configuring CWMP
7.5 Monitoring
Displaying
Command Function
show cwmp configuration Displays the CWMP configuration.
show cwmp status Displays the CWMP running status.
7-21
Configuration Guide Configuring MONITOR
8 Configuring MONITOR
8.1 Overview
Intelligent monitoring is the intelligent hardware management of Ruijie Network devices, including intelligent fan speed
adjustment, and intelligent temperature monitoring. The intelligent monitoring performs the following tasks:
By default, the intelligent monitoring function is enabled after the device is powered on. It does not require any manual
configuration.
Protocol Specification
N/A
8.2 Features
Basic Concepts
N/A
Features
Feature Function
Intelligent Speed The rotating speed of fans is automatically adjusted as the temperature changes to address the heat
Adjustment of Fans dissipation needs of the system.
Intelligent The system automatically monitors the temperature. When the temperature exceeds a certain
Temperature threshold, the system automatically generates an alarm.
Monitoring
Power monitoring The system automatically monitors the power. When the power is insufficient or cannot be identified,
the system automatically generates an alarm.
8-1
Configuration Guide Configuring MONITOR
Working Principle
The system automatically specifies default start rotating speed for the fans according to the current operating mode of the
fans. As the ambient temperature rises or drops, the fans automatically raise or reduce their rotating speed to dissipate
heat and ensure that the noise is low.
Verification
Run the show fan command to display working status of all fans.
Working Principle
The system monitors the temperature once per minute. When the temperature exceeds a certain threshold, the system takes
a certain action. The temperature and action vary with different devices.
Verification
Use the show temperature command to check the temperature thresholds and the current temperature of each line card.
8.2.3 Run the show temperature command to display system temperature. Power
Monitoring
The system automatically monitors the power. When the power is insufficient or cannot be identified, the system
automatically generates an alarm.
Working Principle
The system monitors the power once per minutes. If the system finds the power insufficient, the alarm LED becomes yellow
and a Syslog message is generated. Once the alarm event is resolved, the system recovers. If the system cannot identify the
inserted power, the alarm LED becomes yellow. After you remove the power, the system recovers.
Verification
8-2
Configuration Guide Configuring ZAM
9 Configuring ZAM
9.1 Overview
Manual deployment of all required devices for go-online on a network consumes a lot of labor and material resources, and
has the following problems or defects:
Manual deployment of a massive number of devices for go-online on a network imposes a high technical requirement
on deployment personnel. It requires a long period, resulting in high labor and material costs.
Manual deployment of a massive number of devices may cause fatigue, and consequently, may easily cause
deployment inconsistency or errors, resulting in network malfunction.
Manual deployment does not support control and unified management, easily causing difference and inconsistency.
It is hard to track an event and network device deployment. The entire deployment process cannot be controlled and
easily results in problems or missing.
It is hard to manage device go-online in a unified manner. Online statuses of devices cannot be tracked and thus
administrators cannot learn about the online and running statuses of the devices on the network.
Device extensibility is poor. Automatic deployment of extensible devices and even the extensible network is not
supported.
To address the preceding problems, Ruijie launches the ZAM solution to enable zero configuration of network devices,
support plug-and-play, and realize unified and automatic deployment. The ZAM solution imposes few technical requirement
on deployment personnel and helps reduce workload and costs. It avoids inconsistent deployment, supports unified
deployment and management, tracks online statuses of devices, and simplifies operation, maintenance, and deployment of a
massive number of devices.
9.2 Application
Application Description
ZAM Automatic Deployment Implements unified management on device deployment for go-online.
9-1
Configuration Guide Configuring ZAM
Figure 9-1 shows the network topology for ZAM solution. On the basis of the original network, a ZAM control server is added.
DHCP and TFTP services are deployed on the ZAM server for managing and controlling device deployment in a unified
manner for go-online, thus realizing unified management of all the deployed devices.
Figure 9-1
Management Management
network core 1 network core 2
Deployment
9.3 Features
Basic Concepts
ZAM
IDC
9-2
Configuration Guide Configuring ZAM
DHCP
TFTP
Feature
Feature Description
Device Go-online via Uses the ZAM solution to enable zero configuration of network devices.
ZAM
Step 1: A device without configurations accesses a network. The device applies for a fixed IP address from the ZAM control
server via DHCP. The ZAM control server responds to the application by returning an IP address and the response also
carries the TFTP server IP address and the configuration file name corresponding to the device. The device automatically
applies the IP address, and resolves the TFTP server IP address and the configuration file name carried in the response.
Step 2: The device downloads the corresponding configuration file from the ZAM control server via TFTP (a TFTP server can
be independently established).
The ZAM control server and device requiring go-online must meet the following requirements:
Be capable of identifying a device requiring go-online, IP address of a specific device, the TFTP server IP address, and
configuration file name of this device saved on the TFTP server.
Be capable of allocating IP addresses to a device requiring go-online, that is, be capable of providing the DHCP service
to pre-allocate an IP address, a TFTP server IP address, and a configuration file name, and enabling matching between
the device and the preceding pre-allocated information.
Provide the TFTP function and support configuration file download and storage if the TFTP function is deployed on the
ZAM control server (recommended).
Be capable of automatically determining whether to go online via the ZAM solution after being powered on, that is,
determining whether to go online without configuration via the ZAM solution.
Be capable of applying to the DHCP server for an IP address, and obtaining the TFTP server IP address and configures
file name.
Be capable of downloading the specified configuration scripts from the TFTP server via TFTP.
9-3
Configuration Guide Configuring ZAM
Provide a retry mechanism upon a ZAM deployment failure and provide a ZAM exit mechanism.
Working Principle
Initialization
At this stage, a device without configurations is powered on and accesses a network. After loading is completed, the device
automatically pre-deploys the ZAM environment. The pre-deployment requirement is as follows:
Use the MGMT port for ZTP management and retain all default configurations without extra operation.
DHCP
After the pre-deployment, the device obtains the ZAM management IP address, TFTP server IP address, configuration file
name of the device via DHCP. Requirements are as follows:
Trigger DHCP to obtain the ZAM management IP address. Add request identifiers of Option 67 (boot file name) and
Option 150 (TFTP server IP address) to the requested parameter list.
Resolve and deploy ZAM management IP address. Resolve Option 67 and Option 150 in the response.
TFTP
Download the corresponding configuration script according to the configuration file name and TFTP server IP address
obtained at the DHCP stage.
After the configuration script is downloaded successfully, execute the configuration script to download the corresponding
configuration file or bin file from the TFTP server.
Configuration loading
Load the configuration file or bin file obtained at the TFTP stage and restart the device.
Related Configuration
Enabling ZAM
ZAM must be enabled on the device to implement automatic deployment via ZAM.
9.4 Configuration
9-4
Configuration Guide Configuring ZAM
Configure device go-online via ZAM, so that a device without configurations enters the go-online process and
implements automatic deployment.
Notes
Deploy a ZTP control server that supports device go-online via ZAM.
Configuration Steps
Enabling ZAM
Mandatory.
Verification
Run the show zam command to check whether ZAM is enabled and to check configuration of the MGMT port.
Related Commands
Enabling ZAM
Command zam
Parameter N/A
Description
Command Global configuration mode
Mode
Usage Guide Configure ZAM.
Configuration Example
Scenario
9-5
Configuration Guide Configuring ZAM
A(config)# exit
Verification Run the show zam command to display the current configuration and status of ZAM..
Ruijie
Ruijie#show zam
Ruijie#
Common Errors
The network connection between a device requiring go-online and the ZAM control server is abnormal.
9.5 Monitoring
Displaying
Description Command
Displays the current configuration show zam
and status of ZAM.
Debugging
System resources are occupied when debugging information is output. Therefore, disable the debugging switch
immediately after use.
Description Command
Debugs the ZAM framework event. debug zam
9-6
Configuration Guide Configuring Module Hot Swapping
10.1 Overview
Module Hot Swapping automates the installation, uninstallation, reset, and information check of hot-swappable modules
(management cards, line cards, cross-connect and synchronous timing boards [XCSs], and multi-service cards) after they
are inserted into chassis-based devices.
10.2 Applications
Application Description
Resetting Online Modules During routine maintenance, you can reset an abnormally running module to
troubleshoot the fault.
Clearing the Configuration of a During routine maintenance, you can replace the module in a slot with a different type
Module of module.
Clearing the Configuration of a During routine maintenance, you can clear the configuration of all modules on a VSU
Virtual Switch Unit (VSU) Member member device and then reconfigure the modules.
Device
Deleting a MAC Address from the During routine maintenance, you can delete the MAC addresses of VSU member
Configuration File devices to perform MAC address reelection.
Modifying a MAC Address in the When you replace a switch with a new one in gateway mode, you can configure the
Configuration File MAC address of the new switch to be the same as that of the replaced switch to retain
the MAC address of the bound gateway on downstream devices.
During routine maintenance, you can reset an abnormally running module in a slot to troubleshoot the fault.
Deployment
During routine maintenance, you can replace the module in a slot on a chassis-based device with a different type of module
without affecting other modules.
10-1
Configuration Guide Configuring Module Hot Swapping
Deployment
2. Run the remove configuration module command on the device to remove the module configuration.
In VSU mode, to meet service change requirements, you need to clear all configurations on a member device and
reconfigure the device. You can run the remove configuration device command to clear configurations all at once, rather
than clear the configuration of individual modules one by one on the member device.
Deployment
3. Restart the VSU and check whether the configuration of the device is cleared.
In general, the MAC address used by a system is written in the management card or the flash memory of the chassis. In VSU
mode, to avoid service interruption due to the change of the MAC address, the system automatically saves the MAC address
to the configuration file. After the system restarts, the valid MAC address (if any) in the configuration file is used in preference.
The no sysmac command can be used to delete the MAC address from the configuration file. Then the MAC address written
in the flash memory is used by default.
Deployment
1. Run the no sysmac command on the target device to delete its MAC address.
3. Restart the VSU and check whether the MAC address of the device is reelected.
10-2
Configuration Guide Configuring Module Hot Swapping
In gateway mode (the auth-mode gateway command is configured), some peripheral devices are configured with the MAC
address of the bound gateway. If the gateway is replaced, you can use the sysmac command to configure the MAC address
of the new gateway to be the same as that of the replaced gateway to retain the MAC address of the bound gateway on
downstream devices. The sysmac command is valid only in gateway mode.
Deployment
3. Restart the device and check whether its MAC address is modified.
10.3 Features
Feature
Feature Description
Automatically After a new module is inserted into a chassis-based device, the device's management software will
Installing the Inserted automatically install the module driver.
Module
Resetting Online Online modules can be reset.
Modules
The module mentioned here can be a management card, a line card, an XCS, or a multi-service card. A management
card can only be inserted in a management card slot (M1 or M2). A line card or multi-service card can be inserted in a
line card slot. An XCS can only be inserted in an XCS slot.
Working Principle
After a module is inserted, the device's management software will automatically install the module driver and save the
module information (such as the quantity of ports on the module and port type) to the device, which will be used for
subsequent configuration. After the module is removed, its information is not cleared by the management software. You can
10-3
Configuration Guide Configuring Module Hot Swapping
continue to configure the module information. When the module is inserted again, the management software assigns the
user's module configuration to the module and make it take effect.
Working Principle
After you run the reset module command, the device's management software uses a hardware or software interface of the
device to restart the software on the target module and restores the hardware chip to the post-power-on state. The software
failure of the module will be rectified after the module is reset.
10.4 Configuration
The module Hot Swapping feature is automatically implemented without manual configuration.
(Optional) It is used to clear configuration in global configuration mode. After you run the
following commands, you need to save the command configuration so that it can take
effect after system restart.
Configuration Steps
(Optional) Perform this configuration when you need to clear the configuration of a VSU member device.
10-4
Configuration Guide Configuring Module Hot Swapping
(Optional) Perform this configuration when you need to change the MAC address of a system to the reelected MAC
address.
In general, the MAC address used by a system is written in the management card or the flash memory of the chassis. In
VSU mode, to avoid service interruption due to the change of the MAC address, the system automatically saves the
MAC address to the configuration file. After the system restarts, the valid MAC address (if any) in the configuration file is
used in preference.
Command no sysmac
Parameter N/A
Description
Defaults N/A
Command Global configuration mode
Mode
Usage Guide Use this command to delete a MAC address from the configuration file. Then the MAC address written in the
flash memory is used by default.
(Optional) Perform this configuration when you need to modify the MAC address of a device.
In gateway mode (the auth-mode gateway command is configured), some peripheral devices are configured with the
MAC address of the bound gateway. If the gateway is replaced, you can use the sysmac command to configure the
MAC address of the new gateway to be the same as that of the replaced gateway to retain the MAC address of the
bound gateway on downstream devices. The sysmac command is valid only in gateway mode.
Verification
Run the show version slot command to display the installation information of a line card.
10-5
Configuration Guide Configuring Module Hot Swapping
1 4 24 M8606-24GT/12SFP M8606-24GT/12SFP ok
10.5 Monitoring
Displaying
Description Command
Displays the details of a module. show version module detail [slot-num]
show version module detail [device-id/slot-num] (in VSU mode)
Displays the online state of a module. show version slots [slot-num]
show version slots [device-id/slot-num] (in VSU mode)
Displays the current MAC address of show sysmac
a device.
10-6
Configuration Guide Configuring Supervisor Module Redundancy
11.1 Overview
Supervisor module redundancy is a mechanism that adopts real-time backup (also called hot backup) of the service running
status of supervisor modules to improve the device availability.
In a network device with the control plane separated from the forwarding plane, the control plane runs on a supervisor
module and the forwarding plane runs on cards. The control plane information of the master supervisor module is backed up
to the slave supervisor module in real time during device running. When the master supervisor module is shut down as
expected (for example, due to software upgrade) or unexpectedly (for example, due to software or hardware exception), the
device can automatically and rapidly switch to the slave supervisor module without losing user configuration, thereby
ensuring the normal operation of the network. The forwarding plane continues with packet forwarding during switching. The
forwarding is not stopped and no topology fluctuation occurs during the restart of the control plane.
The supervisor module redundancy technology provides the following conveniences for network services:
The supervisor module redundancy technology sustains data forwarding and the status information about user sessions
during switching.
The forwarding plane is not restarted during switching. Therefore, neighbors cannot detect the status change of a link from
Down to Up.
The forwarding plane sustains forwarding communication during switching, and the control plane rapidly constructs a new
forwarding table. The process of replacing the old forwarding table with the new one is unobvious, preventing route flaps.
Thanks to real-time status synchronization, user sessions that are created prior to switching are not lost.
11.2 Applications
Application Description
Redundancy of Supervisor On a core switch where two supervisor modules are installed, the redundancy technology can
Modules improve the network stability and system availability.
11-1
Configuration Guide Configuring Supervisor Module Redundancy
As shown in the following figure, in this network topology, if the core switch malfunctions, networks connected to the core
switch break down. In order to improve the network stability, two supervisor modules need to be configured on the core
switch to implement redundancy. The master supervisor module manages the entire system and the slave supervisor
module backs up information about service running status of the master supervisor module in real time. When manual
switching is performed or forcible switching is performed due to a failure occurring on the master supervisor module, the
slave supervisor module immediately takes over functions of the master supervisor module. The forwarding plane can
proceed with data forwarding and the system availability is enhanced.
Figure 11-1
Deployment
For chassis-type devices, the system is equipped with the master/slave backup mechanism. The system supports
plug-and-play as long as master and slave supervisor modules conform to redundancy conditions.
For case-type devices, each device is equivalent to one supervisor module and one line card. The virtual switching unit (VSU)
composed of multiple case-type devices also has the master/slave backup mechanism.
11.3 Features
Basic Concepts
On a device where two supervisor modules are installed, the system elects one supervisor module as active, which is called
the master supervisor module. The other supervisor module functions as a backup supervisor module. When the master
11-2
Configuration Guide Configuring Supervisor Module Redundancy
supervisor module malfunctions or actively requests switching, the backup supervisor module takes over the functions of the
master supervisor module and becomes the new master supervisor module, which is called the slave supervisor module. In
general, the slave supervisor module does not participate in switch management but monitors the running status of the
master supervisor module.
Globally Master Supervisor Module, Globally Slave Supervisor Module, Globally Candidate Supervisor Module
In a VSU system composed of two or more chassis-type devices, each chassis has two supervisor modules, with the master
supervisor module managing the entire chassis and the slave supervisor module functioning as a backup. For the entire VSU
system, there are two or more supervisor modules. One master supervisor module is elected out of the supervisor modules
to manage the entire VSU system, one slave supervisor module is elected as the backup of the VSU system, and other
supervisor modules are used as candidate supervisor modules. A candidate supervisor module replaces the master or slave
supervisor module and runs as the master or slave supervisor module when the original master or slave supervisor module
malfunctions. In general, candidate supervisor modules do not participate in backup. To differentiate master and slave
supervisor modules in a chassis from those in a VSU system, the master, slave, and candidate supervisor modules in a VSU
system are called "globally master supervisor module", "globally slave supervisor module," and "globally candidate
supervisor module" respectively. The redundancy mechanism of supervisor modules takes effect on the globally master
supervisor module and globally slave supervisor module. Therefore, the master and slave supervisor modules in the VSU
environment are the globally master supervisor module and globally slave supervisor module.
In a VSU system composed of two or more case-type devices, each case-type device is equivalent to one supervisor module
and one line card. The system elects one device as the globally master supervisor module and one device as the globally
slave supervisor module, and other devices serve as globally candidate supervisor modules.
In a device system, the hardware and software of all supervisor modules must be compatible so that the redundancy of
supervisor modules functions properly.
Batch synchronization is required between the master and slave supervisor modules during startup so that the two
supervisor modules are in the same state. The redundancy of supervisor modules is ineffective prior to synchronization.
The master supervisor module experiences the following status changes during master/slave backup:
alone state: In this state, only one supervisor module is running in the system, or the master/slave switching is not
complete, and redundancy is not established between the new master supervisor module and the new slave supervisor
module.
batch state: In this state, redundancy is established between the master and slave supervisor modules and batch
backup is being performed.
realtime state: The master supervisor module enters this state after the batch backup between the master and slave
supervisor modules is complete. Real-time backup is performed between the master and slave supervisor modules,
and manual switching can be performed only in this state.
11-3
Configuration Guide Configuring Supervisor Module Redundancy
Overview
Feature Description
Election of Master and Slave The device can automatically select the master and slave supervisor modules based on the
Supervisor Modules current status of the system. Manual selection is also supported.
Information Synchronization In the redundancy environment of supervisor modules, the master supervisor module
of Supervisor Modules synchronizes status information and configuration files to the slave supervisor module in real
time.
Automatically Selecting Master and Slave Supervisor Modules for Chassis-type Devices
Users are allowed to insert or remove supervisor modules during device running. The device, based on the current condition
of the system, automatically selects an engine for running, without affecting the normal data switching. The following cases
may occur and the master supervisor module is selected accordingly:
If only one supervisor module is inserted during device startup, the device selects this supervisor module as the master
supervisor module regardless of whether it is inserted into the M1 slot or M2 slot.
If two supervisor modules are inserted during device startup, by default, the supervisor module in the M1 slot is selected
as the master supervisor module and the supervisor module in the M2 slot is selected as the slave supervisor module to
serve as a backup, and relevant prompts are output.
If one supervisor module is inserted during device startup and another supervisor module is inserted during device
running, the supervisor module that is inserted later is used as the slave supervisor module to serve as a backup
regardless of whether it is inserted into the M1 slot or M2 slot, and relevant prompts are output.
Assume that two supervisor modules are inserted during device startup and one supervisor module is removed during
device running (or one supervisor module malfunctions). If the removed supervisor module is the slave supervisor
module prior to removal (or failure), only a prompt is displayed after removal (or malfunction), indicating that the slave
supervisor module is removed (or fails to run). If the removed supervisor module is the master supervisor module prior
to removal (or failure), the other supervisor module becomes the master supervisor module and relevant prompts are
output.
Users can manually make configuration to select the master and slave supervisor modules, which are selected based on the
environment as follows:
In standalone mode, users can manually perform master/slave switching. The supervisor modules take effect after
reset.
In VSU mode, users can manually perform master/slave switching to make the globally slave supervisor module
become the globally master supervisor module. If a VSU system has only two supervisor modules, the original globally
master supervisor module becomes the new globally slave supervisor module after reset. If there are more than two
11-4
Configuration Guide Configuring Supervisor Module Redundancy
supervisor modules, one globally candidate supervisor module is elected as the new globally slave supervisor module
and the original globally master supervisor module becomes a globally candidate supervisor module after reset.
Related Configuration
By default, the device can automatically select the master supervisor module.
In both the standalone and VSU modes, users can run the redundancy forceswitch command to perform manual
switching.
Status synchronization
The master supervisor module synchronizes its running status to the slave supervisor module in real time so that the slave
supervisor module can take over the functions of the master supervisor module at any time, without causing any perceivable
changes.
Configuration synchronization
There are two system configuration files during device running: running-config and startup-config. running-config is a system
configuration file dynamically generated during running and changes with the service configuration. startup-config is a
system configuration file imported during device startup. You can run the write command to write running-config into
startup-config or run the copy command to perform the copy operation.
For some functions that are not directly related to non-stop forwarding, the synchronization of system configuration files can
ensure consistent user configuration during switching.
In the case of redundancy of dual supervisor modules, the master supervisor module periodically synchronizes the
startup-config and running-config files to the slave supervisor module and all candidate supervisor modules. The
configuration synchronization is also triggered in the following operations:
1. The running-config file is synchronized when the device switches from the global configuration mode to privileged
EXEC mode.
2. The startup-config file is synchronized when the write or copy command is executed to save the configuration.
3. Information configured over the Simple Network Management Protocol (SNMP) is not automatically synchronized and
the synchronization of the running-config file needs to be triggered by running commands on the CLI.
Related Configuration
By default, the startup-config and running-config files are automatically synchronized once per hour.
Run the auto-sync time-period command to adjust the interval for the master supervisor module to synchronize
configuration files.
11-5
Configuration Guide Configuring Supervisor Module Redundancy
11.4 Configuration
Optional.
Configuring Manual
Master/Slave Switching show redundancy states Displays the hot backup status.
redundancy forceswitch Manually performs master/slave switching.
Optional.
Optional.
Resetting Supervisor
Resets the slave supervisor module or resets both the
Modules
redundancy reload master and slave supervisor modules at the same
time.
The original master supervisor module is reset and the slave supervisor module becomes the new master supervisor
module.
If there are more than two supervisor modules in the system, the original slave supervisor module becomes the master
supervisor module, one supervisor module is elected out of candidate supervisor modules to serve as the new slave
supervisor module, and the original master supervisor module becomes a candidate supervisor module after reset.
Notes
To ensure that data forwarding is not affected during switching, batch synchronization needs to be first performed between
the master and slave supervisor modules so that the two supervisor modules are in the same state. That is, manual switching
can be performed only when the redundancy of supervisor modules is in the real-time backup state. In addition, to ensure
synchronization completeness of configuration files, service modules temporarily forbid manual master/slave switching
during synchronization. Therefore, the following conditions need to be met simultaneously for manual switching:
Manual master/slave switching is performed on the master supervisor module and a slave supervisor module is
available.
All virtual switching devices (VSDs) in the system are in the real-time hot backup state.
The hot-backup switching of all VSDs in the system is not temporarily forbidden by service modules.
If devices are virtualized as multiple VSDs, manual switching can be successfully performed only when the supervisor
modules of all the VSDs are in the real-time backup state.
11-6
Configuration Guide Configuring Supervisor Module Redundancy
Configuration Steps
Optional.
Verification
Run the show redundancy states command to check whether the master and slave supervisor modules are switched.
Related Commands
Configuration Example
Configuration In the VSD environment where the name of one VSD is staff, perform master/slave switching.
Steps
Ruijie> enable
11-7
Configuration Guide Configuring Supervisor Module Redundancy
This operation will reload the master unit and force switchover to the slave unit. Are you sure to
continue? [N/y] y
Verification On the original slave supervisor module, run the show redundancy states command to check the
redundancy status.
Change the automatic synchronization interval of the startup-config and running-config files. If the automatic synchronization
interval is set to a smaller value, changed configuration is frequently synchronized to other supervisor modules, preventing
the configuration loss incurred when services and data are forcibly switched to the slave supervisor module when the master
supervisor module malfunctions.
Configuration Steps
Optional. Make the configuration when the synchronization interval needs to be changed.
Verification
Related Commands
Command redundancy
Parameter N/A
Description
Command Global configuration mode
Mode
Usage Guide N/A
11-8
Configuration Guide Configuring Supervisor Module Redundancy
Parameter time-period value: Indicates the automatic synchronization interval, with the unit of seconds. The value
Description ranges from 1 second to 1 month (2,678,400 seconds).
Command Redundancy configuration mode
Mode
Usage Guide Configure the automatic synchronization interval of the startup-config and running-config files in the case of
redundancy of dual supervisor modules.
Configuration Example
Configuration In redundancy configuration mode of the master supervisor module, configure the automatic synchronization
Steps interval to 60 seconds.
Ruijie(config)# redundancy
Ruijie(config-red)# exit
Verification Run the show redundancy states command to check the configuration.
Resetting only the slave supervisor module does not affect data forwarding, and the forwarding is not interrupted or user
session information is not lost during reset of the slave supervisor module.
In standalone mode, running the redundancy reload shelf command will cause simultaneous reset of all supervisor
modules and line cards in the chassis. In VSU mode, the device of a specified ID is reset when this command is executed. If
there are two or more devices in the system and the device to be reset is the device where the globally master supervisor
module resides, the system performs master/slave switching.
Notes
In VSU mode, if the supervisor modules of the system do not enter the real-time backup state, resetting the device where the
globally master supervisor module resides will cause the reset of the entire VSU system.
Configuration Steps
Optional. Perform the reset when the supervisor modules or device runs abnormally.
11-9
Configuration Guide Configuring Supervisor Module Redundancy
Related Commands
Configuration Example
Configuration In privileged EXEC mode of the globally master supervisor module, reset the device with the ID of 2.
Steps
This operation will reload the device 2. Are you sure to continue? [N/y] y
11.5 Monitoring
Displaying
Description Command
Displays the current redundancy status of dual show redundancy states
supervisor modules.
11-10
Configuration Guide Configuring PoE
12 Configuring PoE
12.1 Overview
Power over Ethernet (PoE) is a technology that can transmit electricity and data to devices through twisted pairs over
Ethernet. This technology enables various devices such as VOIP, WIFI APs, network cameras, hubs and computers to
obtain electricity through twisted pairs.
The largest distance that can be powered by a PoE switch is 100 m as defined by the standards. A PoE switch can collect
statistics about the power supplies of all ports and the entire device, which can be displayed by a query command.
Currently, PoE complies with the IEEE 802.3af and IEEE 802.3at standards. The following table lists the main characteristics
of and differences between the two standards:
12.2 Applications
Application Description
PoE Power Supply Scenario In the scenario, a PoE switch powers powered devices (PDs) and implements data
exchange.
In a PoE system set up with a PoE switch, the PoE switch combines the PoE power supply with the PSE. In addition to
providing normal network data exchange, the PoE switch also provides the power supply function. The main PDs in the
system include the APs of a WLAN and VoIP telephones.
12-1
Configuration Guide Configuring PoE
The PoE switch provides power management, including power supply enabling for ports, power supply priority management,
over-temperature protection for ports, and power supply status query for devices and ports.
A PoE switch enabling PoE+ supports LLDP correlation with PDs for dynamically managing the power supply power of ports.
Figure 12-1
With constantly increasing functions, terminals consume more and more power. The power consumption of certain terminals
exceeds the maximum power 30 W that can be provided by POE+. Consequently, these terminals have to return to the
traditional power supply mode.
HPOE, namely, the IEEE802.3bt standard that is being prepared at present, supplies power through four twisted pairs and
aims at a power of 90 W. The industry hopes that this standard enables the PoE technology to keep up with terminals.
Figure 12-2 is an HPOE scenario that uses a video monitoring system for example.
12-2
Configuration Guide Configuring PoE
A video monitoring system usually uses spherical cameras. Certain spherical cameras provide the PTZ operation, infrared
fill-in light, heating and defogging, and other functions, with a standard power of about 50 W. This standard power has
exceeded the power supply range of PoE. In addition, most spherical cameras do not support the PoE power supply but use
the 12 VDC or 24 VAC power supply. Therefore, a PoE switch cannot directly power spherical cameras and must use a
power box for conversion. Therefore, the HPOE scenario of the video monitoring system is shown in the preceding figure.
The HPOE switch is connected to the power box through an Ethernet cable, and then the power box is directly
connected to non-POE terminals through Ethernet cables and power cables.
The common switch is directly connected to the HPOE midspan over Ethernet. After the power signal is distributed to
the HOPE midspan, the HPOE midspan is directly connected to the power box over Ethernet. The power box is directly
connected to non-POE terminals through Ethernet cables and power cables.
As mentioned above, the rated power of spherical cameras is about 50 W, and the power box needs to convert the 54 V
voltage into 12 VDC or 24 VAC. Conversion will consume some power and there is also some line loss. Therefore, the switch
port needs to output a power higher than 70 W. Ruijie HPOE switches reserve certain margin; therefore, HPOE ports provide
a rated output power of 90 W.
Deployment
By default, a PoE switch port is enabled with the power supply function and can start the power supply after detecting
an accessed device.
12-3
Configuration Guide Configuring PoE
If the total power of the PoE system is insufficient, you can manually configure the power priority for ports to ensure that
the ports are powered first.
12.3 Features
Basic Concepts
The PoE power supply powers the entire PoE system and is classified into external and internal power supplies. Cassette
PoE switches of Ruijie often have internal power supplies and certain products also support external power supplies.
External power supplies are called RPS.
PSE
Power Sourcing Equipment (PSE) queries and detects PDs on PoE ports, classifies PDs into different levels, and supplies
power for the PDs. After detecting that a PD is removed, the PSE stops supplying power.
PD
PDs are devices powered by PSE and are classified into standard PDs and non-standard PDs. Standard PDs are PDs that
comply with the IEEE 802.3af and 802.3at standards. Common non-standard PDs include non-standard PDs with featured
resistance, Cisco pre-standard PDs, PDs supporting only signal cable power supplies, and PDs supporting only idle cable
power supplies. Ruijie switches use signal cable power supplies and do not support PDs supporting only idle cable power
supplies.
When being powered by a PoE power supply, a PD can also connect to other power supplies for redundant backup of the
power supplies.
Overview
Feature Description
Power Supply Manages the power supply policies of the system, such as the power supply mode and
Management for the PoE disconnection detection mode, and supports monitoring on the power supply of the PoE system,
System such as the system alarm limit and trap sending enabling/disabling.
Power Supply Manages the power supply policies of PoE ports, such as port enabling and power supply
Management for PoE Ports prioritization.
Auxiliary PoE Power Provides auxiliary power supply management functions for the system, such as the power alarm
Supply Functions limit of the system and PD descriptor configuration of ports.
LLDP Classification PDs can dynamically adjust allocated power by exchanging LLDP packets with PSE.
12-4
Configuration Guide Configuring PoE
You can switch the power supply mode (namely, the method for allocating power for PDs connected to the PoE switch). The
PoE switch supports the auto mode, and energy-saving mode(default) for power supply management.
In the auto mode, the system allocates power based on the detected PD classes and types on ports. A PoE switch allocates
power for PDs of classes 0 to 4 as follows: 15.4 W for Class0, 4 W for Class1, 7 W for Class2, 15.4 W for Class3, and 30 W
for Class4. In this mode, even if there is a device of Class3 that consumes only 11 W, the PoE switch allocates a power of
15.4 W for the port connecting to this device. The auto mode is the default power supply management mode of the PoE
switch.
In the energy-saving mode, the PoE switch dynamically adjusts allocated power based on actual consumption of PDs. In this
mode, the PoE switch can power more PDs, but the power fluctuation of certain PDs may affect the power supply of other
PDs. The energy-saving mode is an optional mode of the PoE switch. If the switch does not support this mode,
corresponding prompt information will be displayed during configuration.
In the energy-saving mode, the PoE switch calculates the power consumption of the system based on the actual power
consumption of the PDs. If certain PDs have a large power fluctuation in this mode, overload may occur on the PoE switch,
which causes damage of the PoE device. The PoE switch provides a command for setting the reserved power of the PoE
system to ensure that the PoE switch always has "rich" power and that the consumed power will not exceed the limit of the
PoE switch.
The PoE switch provides uninterruptible power supply during hot startup. When the system is restarted, PDs that are being
powered will not be powered off during hot startup of the PoE switch. After the hot startup is completed, the system recovers
the status saved in the configuration file.
Related Configuration
You can run the poe mode { auto | energy-saving } command to configure the power supply management mode. Since
different power management modes provide different methods for allocating power to PDs, mode switching may affect the
PDs that can be powered.
By default, the system disables the uninterruptible power supply function during hot startup.
You can run the poe uninterruptible-power command to enable the uninterruptible power supply function during hot startup.
The configuration takes effect after being saved. During hot startup of the system, the PoE system supplies stable power for
PDs.
12-5
Configuration Guide Configuring PoE
You can run the poe legacy command to configure compatibility with non-standard PDs.
You can configure power supply priorities for ports of a PoE switch. The priorities are Critical, High and Low in a descending
order. In the auto and energy-saving modes, ports with high priorities are powered first. When the system power of the PoE
switch is insufficient, ports with low priorities are powered off first. The default priorities of all ports are low.
Ports with the same priority are sorted by the port number. A smaller port number means a higher priority. For example, the
priority of port 1 is higher than those of ports 2 and 3.
For ports with the same priority, newly inserted ports do not preempt the power of ports that are being powered. For ports
with different priorities, ports with higher priorities can preempt the power of ports with lower priorities.
You can configure a switch to manage the power-on/off of a port based on time ranges. The time range can be configured by
the time-range command in the global configuration mode.
You can configure the maximum power of a port to restrict the maximum output power of the port. In the auto and
energy-saving modes, configuring the maximum power can restrict the maximum output power of ports. When the power of a
port is greater than the configured maximum power for 10 seconds, the port is powered off, the device connected to the port
is powered off, a log indicates power overload for the port, and the LED indicator of the port is displayed in yellow. 10
seconds later, the port is powered on again. If the power of the port is still greater than the maximum power for 10 seconds,
the port will be powered off again. This process repeats constantly.
Related Configuration
By default, ports are enabled with the PoE power supply function.
You can run the no poe enable command to disable the PoE function for ports.
You can run the poe priority { low | high | critical } command to configure the power supply priority of a port. If the power is
insufficient, ports with high priorities preempt the power of ports with low priorities. In this case, certain ports with low
priorities may be powered off due to insufficient power.
12-6
Configuration Guide Configuring PoE
You can run the poe max-power int command to configure the maximum power for a port. In the static mode, the maximum
power configured for a port does not take effect. If the maximum power configured for a port is 15.4 W but the power
consumed by the PD connected to the port is greater than 1.1 times of the maximum power, over-current occurs on the port.
You can run the poe power-off time-range range-name command to configure the regular power-off function for a port. In
the clock period specified by time-range, the PoE switch does not supply power for connected PDs.
The PoE MIB (RFC3621) standard provides pethMainPseUsageThreshold to set the power alarm threshold of the system.
PoE switches provide the CLI to set this value. The function of this CLI is the same as pethMainPseUsageThreshold MIB,
which is setting the power alarm limit of the system. If the pethNotificationControlEnable switch is enabled in the MIB, the
MIB receives notifications on the alarm power.
In actual application, whether the system sends trap notifications in case of power change and port power-on/off needs to be
controlled. The pethNotificationControlEnable item is provided in the PoE standard MIB RFC3621, which is used to set
whether to send trap notifications.
In actual application, you often have to record the PD connected to a specific PoE port. RFC3621 provides
pethPsePortType to set the PD description.
Related Configuration
You can run the poe warning-power int command to configure the power alarm threshold of the system.
You can run the poe notification-control enable command to enable trap notification sending of the system.
You can run the poe pd-description pd-name command to configure the PD descriptor for the port.
12-7
Configuration Guide Configuring PoE
According to the IEEE 802.3at standard, PDs supporting 802.3at must support both secondary hardware classification
(which is 2-Event Physical Layer classification in the standard) and LLDP classification (which is Data Link Layer
classification in the standard). A PD can identify itself as a Class4 type by exchanging LLDP packets with the PSE. The PSE
needs to support only one classification. Ruijie switches support LLDP classification.
After a PD of Class4 and Type2 is inserted into a PoE switch, the PoE switch performs detection and classification first and
then supplies power for the PD. The PoE switch identifies a device as Type1 device and provides a maximum of 13 W power
by default. After LLDP classification is performed, a PD can be identified as a Type2 device. If the PoE switch has sufficient
power, the PD can obtain a maximum of 25.5 W power. If the PoE switch cannot allocate more power any longer, the PD will
constantly send LLDP power request packets to request for power allocation.
The following table lists the maximum power that can be requested by PDs of each class.
Since the cable loss needs to be deducted from the power provided by the PSE, the allocated power is slightly higher than
the maximum power requested by the PD.
This function is enabled by default and takes effect only in the auto mode.
Related Configuration
You can run the poe class-lldp enable command to enable LLDP classification.
12.4 Configuration
12-8
Configuration Guide Configuring PoE
Configuring Auxiliary poe warning-power Configures the power alarm threshold of the
PoE Power Supply system.
Functions poe notification-control enable Configures the trap notification sending
switch of the system.
poe pd-description Configures the PD descriptor of a port.
Enabling the LLDP (Optional) It is used to manage the LLDP classification between the PoE and PDs.
Classification
poe class-lldp enable Uses the LLDP classification.
Configure mode and change the power allocation mode for PDs. In the auto mode, power is allocated based on PD
classes. In the energy-saving mode, power is allocated based on actual consumption.
Configure uninterruptible-power, which maintains the PoE power supply function during hot startup.
Configuration Steps
Switch the power supply management mode, power off all PoE ports and then power on them based on the new power
supply management mode.
To ensure that the PoE switch powers more ports, you can use the energy-saving mode and allocate power to the ports
based on actual power consumption.
12-9
Configuration Guide Configuring PoE
In actual application, switches may need to be upgraded. For example, after the management software is upgraded, a
PoE switch needs to be restarted. However, many PDs are normally powered by the PoE switch in this case. Direct
restart may cause power-off and then power-on of the PDs, that is, the PDs may be interrupted for a period of time.
After this function is enabled or disabled, the configuration will take effect upon next reset only after being saved.
If connected PDs do not meet the PoE standard, the function of being compatible with non-standard PDs can be
enabled to supply power for the PDs.
Running this command for ports not connected to PDs may cause burning of peer devices due to incorrect power-on.
Therefore, you must run this command when PDs are connected to ports.
The powered-on non-standard DSs will not be powered off if the no poe legacy command is run.
If this command is not configured, non-standard PDs connected will not be powered on and the system will not display
any prompt information.
Verification
View the power supply status of the PoE system to check whether the configuration is correct and whether the configuration
takes effect for the power supply.
Related Commands
12-10
Configuration Guide Configuring PoE
Configuration Example
Scenario Each of the connected PDs consumes low power, but the number of the connected PDs is large and all
ports are occupied.
The PDs should not be disconnected during hot startup.
Configuration Switch the mode to the energy-saving mode.
Steps Support uninterruptible power supply during hot startup.
Ruijie(config)# exit
Ruijie# write
Verification Run the show poe powersupply command to view the configurations and the power supply information.
Device member : 1
12-11
Configuration Guide Configuring PoE
Configure time-range to ensure that ports are not powered off within the time-range.
Configure priority for ports. If the power is insufficient, ports with high priorities can preempt the power of ports with low
priorities but ports with the same priority do not preempt the power from each other.
Configure max-power for ports. If the power consumed by a port exceeds 1.1 times of the max-power, the power is
powered off. After a penalty period of 10 seconds, the port is powered on again.
Configuration Steps
To enable or disable the PoE function for a port, you must enable or disable the power supply function of the port.
By default, the PoE function of the port for connecting a convergence switch is enabled and the PoE function for a core
switch is disabled.
If you run the interface range command to configure the PoE function for ports in batches, the enabling or disabling of
the PoE function for a port may affect the global power supply management because the range command is configured
for ports one after another. Therefore, ports may be powered on and then off during the configuration process, which is
normal.
Optional.
When the power supply function is enabled for a port, configure time-range and then manage the power-on/off of the
port based on the period of time specified by range-name.
The accuracy of the regular power supply function for a PoE port is one minute and 30 seconds.
Configure the regular power-off function for a PoE port. range-name indicates the name of the time range, consisting of
up to 32 characters.
In scenarios with insufficient power, in order to supply stable power for certain ports, you can configure priorities for the
ports.
12-12
Configuration Guide Configuring PoE
This command may take effect in the auto and energy-saving modes.
When max-power is set to 0, a port is powered off and not powered on again.
Configure the maximum power of a port. The maximum power cannot exceed 1.1 times of the configured power to
reduce the impact of high power consumed by a single port on power management.
Verification
View the PoE information of PoE ports to check whether the configuration is correct and whether the configuration takes
effect for the power supply.
Related Commands
12-13
Configuration Guide Configuring PoE
Configuration Example
Scenario The port g0/1 requires a stable power supply not affected by the network environment.
The power is powered off from 8:00 to 12:00 and is powered on in other time.
The maximum power of the port does not exceed 17 W.
Configuration Set the priority of the port g0/1 to critical.
Steps Configure time-range and associate the port time-range configuration of the PoE.
Set the maximum power of the port g0/1 to 15.4 W.
Ruijie(config-time-range)# exit
Verification Run the show poe interface gigabitEthernet 0/1 command to view the configurations and the power
supply information.
Interface : gi0/1
Power status : on
12-14
Configuration Guide Configuring PoE
Voltage : 53.5 V
Current : 278 mA
PD class : 4
Priority : critical
Legacy : off
Configure warning-power to display a warning when the power used by the system exceeds the alarm threshold.
Configure notification-control to control whether the system sends trap notifications in case of power change and port
power-on/off.
Configuration Steps
(Mandatory) It is 99 by default, which is consistent with that specified in the RFC3621 MIB.
Configure the power alarm threshold of the system. When the power used by the system exceeds the threshold, the
system displays a warning.
If you set the power alarm threshold of the system by using pethMainPseUsageThreshold provided by the PoE MIB,
the CLI will be configured as well.
When trap notification sending is enabled, trap notifications will be sent when the alarm power notification and power
on/off notification of the system are enabled and disabled.
This CLI command can control only sending of trap notifications defined in the RFC3621 and does not take effect for
trap notifications not defined in the RFC3621.
12-15
Configuration Guide Configuring PoE
When sending of trap notifications defined in the RFC3621 is enabled, a notification is sent if the alarm power changes
from being lower than or equal to the system power to being higher than the system power. If the alarm power is always
higher than the system power, no trap notification will be sent. If the alarm power changes from being higher than or
equal to the system power to being lower than the system power, no trap notification will be sent if the alarm power is
always lower than the system power subsequently.
Configure the PD descriptor of a port to easily identify the PD connected to the port.
If you set the PD by using pethPsePortType provided by the MIB, the CLI will be configured as well.
Verification
Check whether alarm information is output when the power used by the system fluctuates on the alarm power threshold to
check whether the alarm power configuration takes effect.
Connect the PoE to the SNMP server and power on and off a port to check whether corresponding trap notifications are
received from the server and check whether the trap configuration takes effect.
View the PoE information of the port to check whether the PD descriptor of the port is correct.
Related Commands
12-16
Configuration Guide Configuring PoE
Configuration Example
Scenario When the system power exceeds 80%, a warning should be displayed.
When a port is powered on or off, trap notifications should be sent.
PDs connected to ports can be identified.
Configuration Set the alarm power threshold of the system to 80%.
Steps Enable the trap notification sending switch of the system.
Configure the PD descriptor of the port g0/1 as ap220.
Verification Run the show running-config command to view the configurations and power supply information.
Configure class-lldp to support power supply and power negotiation through LLDP between a PoE switch and PDs.
Notes
Configuration Steps
The system switches to the energey-saving mode. Enable the LLDP classification function in the global configuration
mode and verify that there is no max-power configuration on the ports.
If a power is configured with the Max-power command to restrict the maximum power, the LLDP power adjustment
function of the port fails.
12-17
Configuration Guide Configuring PoE
A PoE switch does not allow PDs to adjust their priorities through LLDP requests. The port priorities are managed by
the PoE switch in a unified manner.
Verification
View the "PD class" information in the PoE information of a port to check whether the port is in the LLDP correlation with
PDs.
Related Commands
Configuration Example
Verification Run the show poe interface gigabitEthernet 0/1 command to view the configurations and the power
supply information.
Interface : gi0/1
Power status : on
12-18
Configuration Guide Configuring PoE
Voltage : 53.5 V
Current : 278 mA
PD class : 4(Type1)
Priority : critical
Legacy : off
12.5 Monitoring
Displaying
Description Command
Displays the PoE configuration and show poe interface
status of a specified port.
Displays the PoE status or show poe interfaces
configurations of all ports.
Displays the power supply status of show poe powersupply
the current PoE system.
12-19
Configuration Guide Configuring Package Management
13.1 Overview
Package management (pkg_mgmt) is a package management and upgrade module. This module is responsible for installing,
upgrading/degrading, querying and maintaining various components of the device, among which upgrade is the main
function. Through upgrade, users can install new version of software that is more stable or powerful. Adopting a modular
structure, the RGOS system not only supports overall upgrade and subsystem upgrade but also supports separate upgrade
of a feature package.
Component upgrade described in this document applies to both the box-type device and rack-type device. In addition,
this document is for only version 11.0 and later, excluding those upgraded from earlier versions.
N/A
13.2 Applications
Application Scenario
Upgrading/Degrading Subsystem Upgrade subsystem firmware like boot, kernel, and rootfs on the box-type device and
rack-type device.
Upgrading/Degrading a Single Upgrade a single feature package on the box-type device and rack-mount device.
Feature Package
Auto-Sync for Upgrade Configure the auto sync policy, range and path.
After the upgrade of a subsystem firmware is complete, all system software on the device is updated, and the overall
software is enhanced. Generally, the subsystem firmware of the box-type device is called main package.
The main features of this upgrade mode are as follows: All software on the device is updated after the upgrade is completed;
all known software bugs are fixed. It takes a long time to finish upgrade.
Deployment
You can store the main package in the root directory of the TFTP server, download the package to the device, and then run
an upgrade command to upgrade the package locally. You can also store the main package in a USB flash drive, connect the
USB flash drive to the device, and then run an upgrade command to upgrade the package.
13-1
Configuration Guide Configuring Package Management
Device software consists of several components, and each component is an independent feature module. After an
independent feature package is upgraded, only the feature bug corresponding to this package is fixed. Besides, this feature
is enhanced with the other features unchanged.
The features of this upgrade mode are as follows: Generally, a feature package is small and the upgrade speed is high. After
the upgrade is completed, only the corresponding functional module is improved, and other functional modules remain
unchanged.
Deployment
You can store this package in the root directory of the TFTP server, download the package to the local device, and then
complete the upgrade. You can also store the package in a USB flash drive, connect the USB flash drive to the device, and
then complete the upgrade.
Scenario
Auto-sync upgrade aims to ensure the coordination of multiple modules (line cards and chassis) within a system on a
rack-type device or VSU. Specifically, the upgrade firmware is pushed to all target members automatically and the
software version of new members is upgraded automatically based on the auto-sync policy.
Deployment
13.3 Features
Basic Concepts
Subsystem
A subsystem exists on a device in the form of images. The subsystems of the RGOS include:
boot: After being powered on, the device loads and runs the boot subsystem first. This subsystem is responsible for
initializing the device, and loading and running system images.
kernel: kernel is the OS core part of the system. This subsystem shields hardware composition of the system and
provides applications with abstract running environment.
13-2
Configuration Guide Configuring Package Management
Main package is often used to upgrade/degrade a subsystem of the box-type device. The main package is a
combination package of the boot, kernel, and rootfs subsystems. The main package can be used for overall system
upgrade/degradation.
The feature package of RGOS refers to a collection which enables a certain feature. When the device is delivered, all
supported functions are contained in the rootfs subsystem. You can upgrade only a specific feature by upgrading a single
feature package.
"Firmware" in this document refers to an installation file that contains a subsystem or feature module.
Overview
Feature Description
Upgrading/Degrading and Upgrades/degrades a subsystem.
Managing Subsystem
Components
Upgrading/Degrading and Upgrades/degrades a functional component.
Managing Functional
Components
Auto-Sync for Upgrade Ensures uniform upgrade upon member change.
Working Principle
Upgrade/Degradation
Various subsystems exist on the device in different forms. Therefore, upgrade/degradation varies with different subsystems.
boot: Generally, this subsystem exists on the norflash device in the form of images. Therefore, upgrading/degrading this
subsystem is to write the image into the norflash device.
kernel: This subsystem exists in a specific partition in the form of files. Therefore, upgrading/degrading this subsystem
is to write the file.
rootfs: Generally, this subsystem exists on the nandflash device in the form of images. Therefore, upgrading/degrading
this subsystem is to write the image into the nandflash device.
Management
13-3
Configuration Guide Configuring Package Management
Query the subsystem components that are available currently and then load subsystem components as required.
boot: The boot subsystem always contains a master boot subsystem and a slave boot subsystem. Only the master boot
subsystem is involved in the upgrade, and the slave boot subsystem serves as the redundancy backup all along.
kernel: as the kernel subsystem contains at least one redundancy backup. More redundancy backups are allowed if
there is enough space.
The boot component is not included in the scope of subsystem management due to its particularity. During upgrade of the
kernel or rootfs subsystem component, the upgrade/degradation module always records the subsystem component in use,
the redundant subsystem component, and management information about various versions.
Relevant Configuration
Upgrade
Store the upgrade file on the local device, and then run the upgrade command for upgrade.
In fact, upgrading a feature is replacing feature files on the device with the feature files in the package.
Managing feature components is aimed at recording the information of feature components by using a database. In fact,
installing, displaying and uninstalling a component is the result of performing the Add, Query and Delete operation on the
database.
Relevant Configuration
Upgrade
Store the upgrade file on the local device, and then run the upgrade command for upgrade.
Auto-sync upgrade aims to ensure the coordination of multiple modules (line cards and chassis) within a system. Specifically,
the upgrade firmware is pushed to all target members automatically and the software version of new members is upgraded
automatically based on the auto-sync policy.
Coordinate: Synchronizes with the version based on the firmware stored on the supervisor module.
13-4
Configuration Guide Configuring Package Management
If no upgrade target is specified, the firmware is pushed to all matching members(including line cards and chassis) for
auto-sync.
Every member is checked when the device is restarted and auto-sync is performed accordingly.
Every new member is checked when added into the system and auto-sync is performed accordingly.
Management
Relevant Configuration
To perform upgrade as expected, check the configuration in advance, such as the path.
If some line cards are not checked for upgrade because the system is not configured with auto-sync policy . You can upgrade
them manually.
13.4 Configuration
13-5
Configuration Guide Configuring Package Management
Available firmwares include the main package, rack package, and various feature packages packages.
After the upgrade of the main package is complete, all system software on the line card is updated, and the overall
software is enhanced.
After an independent feature package is upgraded, only the feature bug corresponding to this package is fixed. Besides,
this feature is enhanced, with other features remain unchanged.
Notes
N/A
Configuration Steps
Optional configuration. This configuration is required when all system software on the device needs to be upgraded.
Download the firmware to the local device and run the upgrade command.
Optional configuration. The configuration is used to fix bugs of a certain feature and enhance the function of this feature.
Verification
After upgrading a subsystem component, you can run the show upgrade history command to check whether the
upgrade is successful.
After upgrading a feature component, you can run the show component command to check whether the upgrade is
successful.
Commands
Upgrade
13-6
Configuration Guide Configuring Package Management
Configuration Example
Network Before the upgrade, you must copy the firmware to the device. The upgrade module provides the following
13-7
Configuration Guide Configuring Package Management
Environment solutions.
Run some file system commands like copy tftp and copy xmodem to copy the firmware on the server
to the device file system, and then run the upgrade url command to upgrade the firmware in the local
file system.
Run the upgrade download tftp://path command directly to upgrade the firmware file stored on the
tftp server.
Copy the firmware to a USB flash drive, insert the USB flash drive to the device, and then run the
upgrade url command to upgrade the firmware in the USB flash drive.
Configuration Run the upgrade command.
Steps After upgrading the subsystem, restart the device.
Verification Check the system version on the current device. If the version information changes, the upgrade is
successful.
Network Before the upgrade, you must copy the firmware to the device. The upgrade module provides the following
Environment solutions.
Run some file system commands like copy tftp and copy xmodem to copy the firmware on the server
to the device file system, and then run the upgrade url command to upgrade the firmware in the local
file system.
Run the upgrade download tftp://path command directly to upgrade the firmware file stored on the
tftp server.
Copy the firmware to a USB flash drive, connect the USB flash drive to the device, and then run the
upgrade url command to upgrade the firmware in the USB flash drive .
Verification Check the version of the feature component on the current device. If the version information changes,
the upgrade is successful.
Package :sysmonit
-------------------------------------------------------------------
package:bridge
13-8
Configuration Guide Configuring Package Management
Common Errors
If an error occurs during the upgrade, the upgrade module displays an error message. The following provides an example:
Invalid firmware: The cause is that the firmware may be damaged or incorrect. It is recommended to obtain the firmware
again and perform the upgrade operation.
Firmware not supported by the device: The cause is that you may use the firmware of other devices by mistake. It is
recommended to obtain the firmware again, verify the package, and perform the upgrade operation.
Insufficient device space: Generally, this error occurs on a rack-type device. It is recommended to check whether the
device is supplied with a USB flash drive. Generally, this device has a USB flash drive.
Notes
N/A
Configuration Steps
Run the upgrade auto-sync policy command to configure the auto-sync policy. There are three modes available:
Coordinate: Synchronizes with the version based on the firmware stored on the supervisor module.
Run the upgrade auto-sync range command to configure the auto-sync range. There are two ranges available:
13-9
Configuration Guide Configuring Package Management
Every time the system is upgraded, the firmware path is recorded automatically for later auto-sync upgrade. Alternatively,
use the upgrade auto-sync package command to set a path.
Verification
Commands
All parameters are applicable to only the box-type device and VSU.
All parameters are applicable to only the box-type device and VSU.
Parameter url indicates the path of the firmware in the device file system.
Descripti
13-10
Configuration Guide Configuring Package Management
on
All parameters are applicable to only the rack-type device and VSU.
Configuration Example
Common Errors
13.5 Monitoring
Displaying
Function Command
Displays all components already installed on the show component [ component _name ]
current device and their information.
Displays the upgrade history. show upgrade history
13-11
Ethernet Switching Configuration
1. Configuring Interfaces
4. Configuring VLAN
9. Configuring MSTP
1 Configuring Interfaces
1.1 Overview
Interfaces are important in implementing data switching on network devices. Ruijie devices support two types of interfaces:
physical ports and logical interfaces. A physical port is a hardware port on a device, such as the 100M Ethernet interface and
gigabit Ethernet interface. A logical interface is not a hardware port on the device. A logical interface, such as the loopback
interface and tunnel interface, can be associated with a physical port or independent of any physical port. For network
protocols, physical ports and logical interfaces serve the same function.
1.2 Applications
Application Description
L2 Data Switching Through the Implement Layer-2 (L2) data communication of network devices through the physical
Physical Ethernet Interface L2 Ethernet interface.
L3 Routing Through the Physical Implement Layer-3 (L3) data communication of network devices through the physical
Ethernet Interface L3 Ethernet interface.
Figure 1-1
As shown in Figure 1-1, Switch A, Switch B, and Switch C form a simple L2 data switching network.
Deployment
Connect Switch A to Switch B through physical ports GigabitEthernet 1/0/1 and GigabitEthernet 2/0/1.
Connect Switch B to Switch C through physical ports GigabitEthernet 2/0/2 and GigabitEthernet 3/0/1.
Configure GigabitEthernet 1/0/1, GigabitEthernet 2/0/1, GigabitEthernet 2/0/2, and GigabitEthernet3/0/1 as Trunk ports.
1-1
Configuration Guide Configuring Interfaces
Create a switch virtual interface (SVI), SVI 1, on Switch A and Switch C respectively, and configure IP addresses from a
network segment for the two SVIs. The IP address of SVI 1 on Switch A is 192.168.1.1/24, and the IP address of SVI 1
on Switch C is 192.168.1.2/24.
Run the ping 192.168.1.2 command on Switch A and the ping 192.168.1.1 command on Switch C to implement data
switching through Switch B.
Figure 1-2
As shown in Figure 1-2, Switch A, Switch B, and Switch C form a simple L3 data communication network.
Deployment
Connect Switch A to Switch B through physical ports GigabitEthernet 1/0/1 and GigabitEthernet 2/0/1.
Connect Switch B to Switch C through physical ports GigabitEthernet 2/0/2 and GigabitEthernet 3/0/1.
Configure GigabitEthernet 1/0/1, GigabitEthernet 2/0/1, GigabitEthernet 2/0/2, and GigabitEthernet3/0/1 as L3 routed
ports.
Configure IP addresses from a network segment for GigabitEthernet 1/0/1 and GigabitEthernet 2/0/1. The IP address of
GigabitEthernet 1/0/1 is 192.168.1.1/24, and the IP address of GigabitEthernet 2/0/1 is 192.168.1.2/24.
Configure IP addresses from a network segment for GigabitEthernet 2/0/2 and GigabitEthernet 3/0/1. The IP address of
GigabitEthernet 2/0/2 is 192.168.2.1/24, and the IP address of GigabitEthernet 3/0/1 is 192.168.2.2/24.
Configure a static route entry on Switch C so that Switch C can directly access the network segment 192.168.1.0/24.
Configure a static route entry on Switch A so that Switch C can directly access the network segment 192.168.2.0/24.
Run the ping 192.168.2.2 command on Switch A and the ping 192.168.1.1 command on Switch C to implement L3
routing through Switch B.
1.3 Features
Basic Concepts
Interface Classification
L2 interface (Switch)
1-2
Configuration Guide Configuring Interfaces
Switch port
Routed port
L3 AP port
SVI
Loopback interface
Switch Port
A switch port is an individual physical port on the device, and implements only the L2 switching function. The switch port is
used to manage physical ports and L2 protocols related to physical ports.
L2 AP Port
An AP port is formed by aggregating multiple physical ports. Multiple physical links can be bound together to form a simple
logical link. This logical link is called an AP port.
For L2 switching, an AP port is equivalent to a switch port that combines bandwidths of multiple ports, thus expanding the link
bandwidth. Frames sent over the L2 AP port are balanced among the L2 AP member ports. If one member link fails, the L2
AP port automatically transfers the traffic on the faulty link to other member links, improving reliability of connections.
SVI
The SVI can be used as the management interface of the local device, through which the administrator can manage the
device. You can also create an SVI as a gateway interface, which is mapped to the virtual interface of each VLAN to
implement routing across VLANs among L3 devices. You can run the interface vlan command to create an SVI and assign
an IP address to this interface to set up a route between VLANs.
As shown in Figure 1-3, hosts in VLAN 20 can directly communicate with each other without participation of L3 devices. If
Host A in VLAN 20 wants to communicate with Host B in VLAN 30, SVI 1 of VLAN 20 and SVI 2 of VLAN 30 must be used.
Figure 1-3
1-3
Configuration Guide Configuring Interfaces
Routed Port
A physical port on a L3 device can be configured as a routed port, which functions as the gateway interface for L3 switching.
A routed port is not related with a specific VLAN. Instead, it is just an access port. The routed port cannot be used for L2
switching. You can run the no switchport command to change a switch port to a routed port and assign an IP address to this
port to set up a route. Note that you must delete all L2 features of a switch port before running the no switchport command.
If a port is a L2 AP member port or a DOT1X port that is not authenticated, you cannot run the switchport or no
switchport command to configure the switch port or routed port.
L3 AP Port
Like the L2 AP port, a L3 AP port is a logical port that aggregates multiple physical member ports. The aggregated ports must
be the L3 ports of the same type. The AP port functions as a gateway interface for L3 switching. Multiple physical links are
combined into one logical link, expanding the bandwidth of a link. Frames sent over the L3 AP port are balanced among the
L3 AP member ports. If one member link fails, the L3 AP port automatically transfers the traffic on the faulty link to other
member links, improving reliability of connections.
A L3 AP port cannot be used for L2 switching. You can run the no switchport command to change a L2 AP port that does
not contain any member port into a L3 AP port, add multiple routed ports to this L3 AP port, and then assign an IP address to
this L3 AP port to set up a route.
Loopback Interface
The loopback interface is a local L3 logical interface simulated by the software that is always UP. Packets sent to the
loopback interface are processed on the device locally, including the route information. The IP address of the loopback
interface can be used as the device ID of the Open Shortest Path First (OSPF) routing protocol, or as the source address
used by Border Gateway Protocol (BGP) to set up a TCP connection. The procedure for configuring a loopback interface is
similar to that for configuring an Ethernet interface, and you can treat the loopback interface as a virtual Ethernet interface.
Overview
Feature Description
Interface Configuration You can configure interface-related attributes in interface configuration mode. If you enter
Commands interface configuration mode of a non-existing logical interface, the interface will be created.
Interface Description and You can configure a name for an interface to identify the interface and help you remember
Administrative Status the functions of the interface.
You can also configure the administrative status of the interface.
MTU You can configure the maximum transmission unit (MTU) of a port to limit the length of a
frame that can be received or sent over this port.
Bandwidth You can configure the bandwidth of an interface.
Load Interval You can specify the interval for load calculation of an interface.
Carrier Delay You can configure the carrier delay of an interface to adjust the delay after which the status
of an interface changes from Down to Up or from Up to Down.
Link Trap Policy You can enable or disable the link trap function on an interface.
1-4
Configuration Guide Configuring Interfaces
Feature Description
Interface Index Persistence You can enable the interface index persistence function so that the interface index remains
unchanged after the device is restarted.
Routed Port You can configure a physical port on a L3 device as a routed port, which functions as the
gateway interface for L3 switching.
L3 AP Port You can configure an AP port on a L3 device as a L3 AP port, which functions as the
gateway interface for L3 switching.
Selection of Interface Medium You can select the medium type (fiber or copper) of a combo port as required.
Type
Interface Speed, Duplex Mode, You can configure the speed, duplex mode, flow control mode, and auto negotiation mode
Flow Control Mode, and Auto of an interface.
Negotiation Mode
Automatic Module Detection
If the interface speed is set to auto, the interface speed can be automatically adjusted
based on the type of the inserted module.
Protected Port
You can configure some ports as protected ports to disable communication between these
ports. You can also disable routing between protected ports.
Optical Module
You can configure the optical module antifake detection function to check whether the
Antifake Detection
optical module in use is supplied by Ruijie Networks.
EEE
You can configure the Energy Efficient Ethernet (EEE) function to enable the interface
to work in low power consumption mode.
Working Principle
Run the interface command in global configuration mode to enter interface configuration mode. If you enter interface
configuration mode of a non-existing logical interface, the interface will be created. You can also run the interface range or
interface range macro command in global configuration mode to configure the range (IDs) of interfaces. Interfaces defined in
the same range must be of the same type and have the same features.
You can run the no interface command in global configuration mode to delete a specified logical interface.
1-5
Configuration Guide Configuring Interfaces
In stand-alone mode, the ID of a physical port consists of two parts: slot ID and port ID on the slot. For example, if the slot ID
of the port is 2, and port ID on the slot is 3, the interface ID is 2/3. In VSU or stack mode, the ID of a physical port consists of
three parts: device ID, slot ID, and port ID on the slot. For example, if the device ID is 1, slot ID of the port is 2, and port ID on
the slot is 3, the interface ID is 1/2/3.
The device ID ranges from 1 to the maximum number of supported member devices.
The slot number rules are as follows: The static slot ID is 0, whereas the ID of a dynamic slot (pluggable module or line card)
ranges from 1 to the number of slots. Assume that you are facing the device panel. Dynamic slot are numbered from 1
sequentially from front to rear, from left to right, and from top to bottom.
The ID of a port on the slot ranges from 1 to the number of ports on the slot, and is numbered sequentially from left to right.
You can select fiber or copper as the medium of a combo port. Regardless of the medium selected, the combo port uses the
same port ID.
The ID of an AP port ranges from 1 to the number of AP ports supported by the device.
You can run the interface range command in global configuration mode to configure multiple interfaces at a time. Attributes
configured in interface configuration mode apply to all these interfaces.
The interface range command can be used to specify several interface ranges.
The macro parameter is used to configure the macro corresponding to a range. For details, see "Configuring Macros of
Interface Ranges."
The types of interfaces within all ranges specified in a command must be the same.
Pay attention to the format of the range parameter when you run the interface range command.
AggregatePort Aggregate-port ID (The AP ID ranges from 1 to the maximum number of AP ports supported by the
device.)
Interfaces in an interface range must be of the same type, namely, FastEthernet, GigabitEthernet, AggregatePort, or SVI.
1-6
Configuration Guide Configuring Interfaces
You can define some macros to replace the interface ranges. Before using the macro parameter in the interface range
command, you must first run the define interface-range command in global configuration mode to define these macros.
Run the no define interface-range macro_name command in global configuration mode to delete the configured macros.
Working Principle
Interface Description
You can configure the name of an interface based on the purpose of the interface. For example, if you want to assign
GigabitEthernet 1/1 for exclusive use by user A, you can describe the interface as "Port for User A."
You can configure the administrative status of an interface to disable the interface as required. If the interface is disabled, no
frame will be received or sent on this interface, and the interface will loss all its functions. You can enable a disabled interface
by configuring the administrative status of the interface. Two types of interface administrative status are defined: Up
and Down. The administrative status of an interface is Down when the interface is disabled, and Up when the interface is
enabled.
1.3.3 MTU
You can configure the MTU of a port to limit the length of a frame that can be received or sent over this port.
Working Principle
When a large amount of data is exchanged over a port, frames greater than the standard Ethernet frame may exist. This type
of frame is called jumbo frame. The MTU is the length of the valid data segment in a frame. It does not include the Ethernet
encapsulation overhead.
If a port receives or sends a frame with a length greater than the MTU, this frame will be discarded.
1.3.4 Bandwidth
Working Principle
The bandwidth command can be configured so that some routing protocols (for example, OSPF) can calculate the route
metric and the Resource Reservation Protocol (RSVP) can calculate the reserved bandwidth. Modifying the interface
bandwidth will not affect the data transmission rate of the physical port.
The bandwidth command is a routing parameter, and does not affect the bandwidth of a physical link.
1-7
Configuration Guide Configuring Interfaces
You can run the load-interval command to specify the interval for load calculation of an interface. Generally, the
interval is 10s.
The carrier delay refers to the delay after which the data carrier detect (DCD) signal changes from Down to Up or from Up
to Down. If the DCD status changes during the delay, the system will ignore this change to avoid negotiation at the upper
data link layer. If this parameter is set to a great value, nearly every DCD change is not detected. On the contrary, if the
parameter is set to 0, every DCD signal change will be detected, resulting in poor stability.
If the DCD carrier is interrupted for a long time, the carrier delay should be set to a smaller value to accelerate
convergence of the topology or route. On the contrary, if the DCD carrier interruption time is shorter than the topology or
route convergence time, the carrier delay should be set to a greater value to avoid topology or route flapping.
Working Principle
When the link trap function on an interface is enabled, the Simple Network Management Protocol (SNMP) sends link
traps when the link status changes on the interface.
Working Principle
After interface index persistence is enabled, the interface index remains unchanged after the device is restarted.
A physical port on a L3 device can be configured as a routed port, which functions as the gateway interface for L3 switching.
The routed port cannot be used for L2 switching. You can run the no switchport command to change a switch port to a
1-8
Configuration Guide Configuring Interfaces
routed port and assign an IP address to this port to set up a route. Note that you must delete all L2 features of a switch port
before running the no switchport command.
1.3.10 L3 AP Port
Working Principle
Like a L3 routed port, you can run the no switchport command to change a L2 AP port into a L3 AP port on a L3 device, and
then assign an IP address to this AP port to set up a route. Note that you must delete all L2 features of the AP port before
running the no switchport command.
A L2 AP port with one or more member ports cannot be configured as a L3 AP port. Similarly, a L3 AP port with one or
more member ports cannot be changed to a L2 AP port.
Working Principle
You can choose either fiber or copper as the medium, but the two media cannot take effect at the same time. Once you
select the medium, attributes, including the connection status, speed, duplex mode, and flow control mode, are attributes of
the selected medium. If you change the medium, the interface will adopt the default settings, and you must re-configure these
attributes according to requirements.
If you enable automatic selection of the medium type, the device uses the current medium if only one medium is
available.
If both media are available, the device uses the preferred medium that is configured. By default, the preferred medium
is copper. You can run the medium-type auto-select prefer fiber command to configure fiber as the preferred media.
In automatic medium selection mode, the interface adopts the default settings of attributes, such as the speed, duplex
mode, and flow control mode.
If an interface is enabled with automatic selection, its peer interface must be enabled with auto negotiation; otherwise,
an error will occur.
The command takes effect only on a physical port. An AP port or SVI does not support configuration of the medium
type.
The command takes effect only on a port that supports medium selection.
All ports that are configured as member ports of an AP port must have the same medium type; otherwise, they cannot
be added to the AP port. The type of member ports cannot be modified. A port enabled with automatic medium
selection cannot be added to an AP port.
1-9
Configuration Guide Configuring Interfaces
1.3.12 Interface Speed, Duplex Mode, Flow Control Mode, and Auto Negotiation Mode
You can configure the interface speed, duplex mode, flow control mode, and auto negotiation mode of an Ethernet physical
port or AP port.
Working Principle
Speed
Generally, the speed of an Ethernet physical port is determined through negotiation with the peer device. The negotiated
speed can be any speed within the interface capability. You can also configure any speed within the interface capability for
the Ethernet physical port.
When you configure the speed of an AP port, the configuration takes effect on all of its member ports. (All these member
ports are Ethernet physical ports.)
Duplex Mode
The duplex mode of an Ethernet physical port or AP port can be configured as follows:
Set the duplex mode of the interface to full-duplex so that the interface can receive packets while sending packets.
Set the duplex mode of the interface to half-duplex so that the interface can receive or send packets at a time.
Set the duplex mode of the interface to auto-negotiation so that the duplex mode of the interface is determined through
auto negotiation between the local interface and peer interface.
When you configure the duplex mode of an AP port, the configuration takes effect on all of its member ports. (All these
member ports are Ethernet physical ports.)
Flow Control
Symmetric flow control mode: Generally, after flow control is enabled on an interface, the interface processes the
received flow control frames, and sends the flow control frames when congestion occurs on the interface. The received
and sent flow control frames are processed in the same way. This is called symmetric flow control mode.
Asymmetric flow control mode: In some cases, an interface on a device is expected to process the received flow control
frames to ensure that no packet is discarded due to congestion, and not to send the flow control frames to avoid
decreasing the network speed. In this case, you need to configure asymmetric flow control mode to separate the
procedure for receiving flow control frames from the procedure for sending flow control frames.
When you configure the flow control mode of an AP port, the configuration takes effect on all of its member ports. (All
these member ports are Ethernet physical ports.)
As shown in Figure 1-4, Port A of the device is an uplink port, and Ports B, C and D are downlink ports. Assume that Port A is
enabled with the functions of sending and receiving flow control frames. Port B and Port C are connected to different slow
networks. If a large amount of data is sent on Port B and Port C, Port B and Port C will be congested, and consequently
congestion occurs in the inbound direction of Port A. Therefore, Port A sends flow control frames. When the uplink device
responds to the flow control frames, it reduces the data flow sent to Port A, which indirectly slows down the network speed on
1-10
Configuration Guide Configuring Interfaces
Port D. At this time, you can disable the function of sending flow control frames on Port A to ensure the bandwidth usage of
the entire network.
Figure 1-4
The auto negotiation mode of an interface can be On or Off. The auto negotiation state of an interface is not completely
equivalent to the auto negotiation mode. The auto negotiation state of an interface is jointly determined by the interface
speed, duplex mode, flow control mode, and auto negotiation mode.
When you configure the auto negotiation mode of an AP port, the configuration takes effect on all of its member ports. (All
these member ports are Ethernet physical ports.)
Generally, if one of the interface speed, duplex mode, and flow control mode is set to auto, or the auto negotiation mode
of an interface is On, the auto negotiation state of the interface is On, that is, the auto negotiation function of the
interface is enabled. If none of the interface speed, duplex mode, and flow control mode is set to auto, and the auto
negotiation mode of an interface is Off, the auto negotiation state of the interface is Off, that is, the auto negotiation
function of the interface is disabled.
For a 100M fiber port, the auto negotiation function is always disabled, that is, the auto negotiation state of a 100M fiber
port is always Off. For a Gigabit copper port, the auto negotiation function is always enabled, that is, the auto
negotiation state of a Gigabit copper port is always On.
Working Principle
Currently, the automatic module detection function can be used to detect only the SFP and SFP+ modules. The SFP is a
Gigabit module, whereas SFP+ is a 10 Gigabit module. If the inserted module is SFP, the interface works in Gigabit mode. If
the inserted module is SFP+, the interface works in 10 Gigabit mode.
The automatic module detection function takes effect only when the interface speed is set to auto.
1-11
Configuration Guide Configuring Interfaces
Working Principle
Protected Port
After ports are configured as protected ports, protected ports cannot communicate with each other, but can
communicate with non-protected ports.
Protected ports work in either of the two modes. In the first mode, L2 switching is blocked but routing is allowed between
protected ports. In the second mode, both L2 switching and routing are blocked between protected ports. If a protected port
supports both modes, the first mode is used by default.
When two protected port are configured as a pair of mirroring ports, frames sent or received by the source port can be
mirrored to the destination port.
Currently, only an Ethernet physical port or AP port can be configured as a protected port. When an AP port is configured as
a protected port, all of its member ports are configured as protected ports.
By default, L3 routing between protected ports is not blocked. In this case, you can run the protected-ports route-deny
command to block routing between protected ports.
Working Principle
After a port is shut down due to a violation, you can run the errdisable recovery command in global configuration mode to
recovery all the ports in errdisable state and enable these ports. You can manually recover a port, or automatically recover a
port at a scheduled time.
If the optical module is not supplied by Ruijie Networks, the data communication may be affected. If the optical module
antifake detection function is enabled, the device can automatically identify an optical module that is not supplied by Ruijie
Networks and generate an alarm when such module is inserted to the Ruijie device.
1-12
Configuration Guide Configuring Interfaces
This function is disabled by default. You can enable this function through configuration.
Working Principle
Each optical module supplied by Ruijie Networks has a unique antifake code. The device can read this antifake code to
determine whether the module is supplied by Ruijie networks. If not, the device will generate syslogs and sends traps.
1.3.17 EEE
Energy Efficient Ethernet (EEE) is an energy efficient Ethernet solution. When EEE is enabled, the port enters low power
consumption mode when the Ethernet connection is idle, thus saving the energy.
Low Power Idle (LPI) is the low power consumption mode. After a port enters LPI mode, it reduces signals significantly, and
only sends signals that are sufficient to maintain the connection on the port to save the energy.
Working Principle
According to the Ethernet standards or specifications, interfaces with a bandwidth of 100M or above have the idle state. An
interface will consume much power if it maintains connection without being affected by data transmission. Therefore, the
power consumption is high no matter whether any data is transmitted on the link. Even if no data is transmitted, the port will
always send the idle signals to retain the connection state of the link.
EEE enables a port to enter LPI mode for the purpose of saving energy. In LPI mode, the power consumption is low when the
link is idle. The EEE technology can also quickly change the LPI state of a port to the normal state, providing
high-performance data transmission.
After enabled with EEE, the port automatically enters LPI mode if the port is always Up without sending or receiving any
packet in a period of time. The port recovers the working mode when it needs to send or receive packets, thus saving the
energy. To make the EEE function take effect, the peer port must also support the EEE function.
Only a copper port working in 100M or 1000M speed mode supports the EEE function.
The EEE function takes effect only on the port enabled with auto negotiation.
Working Principle
By default, the port flapping protection function is enabled. You can disable this function as required. When flapping occurs
on a port, the port detects flapping every 2s or 10s. If flapping occurs six times within 2s on a port, the device displays a
prompt. If 10 prompts are displayed continuously, that is, port flapping is detected continuously within 20s, the port is
disabled. If flapping occurs 10 times within 10s on a port, the device displays a prompt without disabling the port.
1-13
Configuration Guide Configuring Interfaces
1.3.19 Syslog
You can enable or disable the syslog function to determine whether to display information about the interface changes or
exceptions.
Working Principle
You can enable or disable the syslog function as required. By default, this function is enabled. When an interface becomes
abnormal, for example, the interface status changes, or the interface receives error frames, or flapping occurs, the system
displays prompts to notify users.
Working Principle
When large-throughput data exchange is performed over a port, frames whose length is longer than that of a standard
Ethernet frame may exist, and these frames are called jumbo frames. The MTU indicates the length of valid data fields in a
frame, excluding the Ethernet encapsulation overhead.
If the length of a frame received or forwarded by a port exceeds the MTU value, the frame will be discarded.
The MTU value ranges from 64 to 9216 bytes. The granularity is four bytes. The default value is 1500 bytes.
The IP MTU automatically changes to the value of the link MTU of an interface when the globally set link MTU changes.
The MTU of an interface takes precedence over the global MTU. After the global MTU is configured, the MTU of an
interface cannot be set to the default value.
1.4 Configuration
1-14
Configuration Guide Configuring Interfaces
Create a specified logical interface and enter configuration mode of this interface, or enter configuration mode of an
existing physical or logical interface.
1-15
Configuration Guide Configuring Interfaces
Create multiple specified logical interfaces and enter interface configuration mode, or enter configuration mode of
multiple existing physical or logical interfaces.
Configure the interface description so that users can directly learn information about the interface.
Notes
The no form of the command can be used to delete a specified logical interface or logical interfaces in a specified range,
but cannot be used to delete a physical port or physical ports in a specified range.
The default form of the command can be used in interface configuration mode to restore default settings of a specified
physical or logical interface, or interfaces in a specified range.
Configuration Steps
Optional.
Run this command to create a logical interface or enter configuration mode of a physical port or an existing logical
interface.
Optional.
Run this command to create multiple logical interfaces or enter configuration mode of multiple physical port or existing
logical interfaces.
1-16
Configuration Guide Configuring Interfaces
Optional.
Run this command when the interface indexes must remain unchanged after the device is restarted.
Optional.
1-17
Configuration Guide Configuring Interfaces
Optional.
Optional.
Command Shutdown
Parameter De N/A
scription
Defaults By default, the administrative status of an interface is Up.
Command Interface configuration mode
Mode
Usage Guide You can run the shutdown command to disable an interface, or the no shutdown command to enable an
interface. In some cases, for example, when an interface is in errdisable state, you cannot run the no
shutdown command on an interface. You can use the no or default form of the command to enable the
interface.
Optional.
1-18
Configuration Guide Configuring Interfaces
Optional.
Verification
Run the interface command. If you can enter interface configuration mode, the configuration is successful.
For a logical interface, after the no interface command is executed, run the show running or show interfaces
command to check whether the logical interface exists. If not, the logical interface is deleted.
After the default interface command is executed, run the show running command to check whether the default
settings of the corresponding interface are restored. If yes, the operation is successful.
Run the interface range command. If you can enter interface configuration mode, the configuration is successful.
After the default interface range command is executed, run the show running command to check whether the default
settings of the corresponding interfaces are restored. If yes, the operation is successful.
After the snmp-server if-index persist command is executed, run the write command to save the configuration,
restart the device, and run the show interface command to check the interface index. If the index of an interface
remains the same after the restart, interface index persistence is enabled.
Remove and then insert the network cable on a physical port, and enable the SNMP server. If the SNMP server
receives link traps, the link trap function is enabled.
Run the no form of the snmp trap link-status command. Remove and then insert the network cable on a physical port.
If the SNMP server does not receive link traps, the link trap function is disabled.
Insert the network cable on a physical port, enable the port, and run the shutdown command on this port. If the syslog
is displayed on the Console indicating that the state of the port changes to Down, and the indicator on the port is off, the
1-19
Configuration Guide Configuring Interfaces
port is disabled. Run the show interfaces command, and verify that the interface state changes to
Administratively Down. Then, run the no shutdown command to enable the port. If the syslog is displayed on the
Console indicating that the state of the port changes to Up, and the indicator on the port is on, the port is enabled.
Run the physical-port dither protect command in global configuration mode. Frequently remove and insert the
network cable on a physical port to simulate port flapping. Verify that a syslog indicating port flapping is displayed on the
Console. After such a syslog is displayed for several times, the system prompts that the port will be shut down.
Run the logging link-updown command in global configuration mode to display the interface status information.
Remove and then insert the network cable on a physical port. The interface state will change twice. Verify that the
information is displayed on the Console, indicating that the interface state changes from Up to Down, and then
from Down to Up. Run the no logging link-updown command. Remove and then insert the network cable. Verify that
the related information is no longer displayed on the Console. This indicates that the syslog function is normal.
Configuration Example
Scenario
Figure 1-5
1-20
Configuration Guide Configuring Interfaces
A# write
B
B# configure terminal
B# write
Run the shutdown command on port GigabitEthern 0/1, and check whether GigabitEthern 0/1 and SVI
1 are Down.
Run the shutdown command on port GigabitEthern 0/1, and check whether a trap indicating that this
interface is Down is sent.
Restart the device, and check whether the index of GigabitEthern 0/1 is the same as that before the
restart.
A
A# show interfaces gigabitEthernet 0/1
Index(dec):1 (hex):1
1-21
Configuration Guide Configuring Interfaces
0 0 0 0
0
1 0 0 0
0
2 0 0 0
0
3 0 0 0
0
4 0 0 0
0
5 0 0 0
0
6 0 0 0
0
7 4 440 0
0
Switchport attributes:
interface's description:""
Priority is 0
admin medium-type is Copper, oper medium-type is Copper admin duplex mode is AUTO, oper
duplex is Unknown
flow control admin status is OFF, flow control oper status is Unknown
Port-type: access
Vlan id: 1
1-22
Configuration Guide Configuring Interfaces
Index(dec):4097 (hex):1001
B
B# show interfaces gigabitEthernet 0/1
Index(dec):1 (hex):1
Hardware is GigabitEthernet
0 0 0 0
0
1 0 0 0
0
2 0 0 0
0
3 0 0 0
0
4 0 0 0
1-23
Configuration Guide Configuring Interfaces
5 0 0 0
0
6 0 0 0
0
7 4 440 0
0
Switchport attributes:
interface's description:""
Priority is 0
flow control admin status is OFF, flow control oper status is Unknown
Port-type: access
Vlan id: 1
Index(dec):4097 (hex):1001
1-24
Configuration Guide Configuring Interfaces
Enable the device to connect and communicate with other devices through the switch port or routed port.
Configuration Steps
Optional.
Run this command to configure a port as a L3 routed port.
After a port is configured as a L3 routed port, L2 protocols running on the port do not take effect.
This command is applicable to a L2 switch port.
Command no switchport
Parameter De N/A
scription
Defaults By default, an Ethernet physical port is a L2 switch port.
Command Interface configuration mode
Mode
Usage Guide On a L3 device, you can run this command to configure a L2 switch port as a L3 routed port. You can run the
switchport command to change a L3 routed port into a L2 switch port.
Configuring a L3 AP Port
Optional.
Run the no switchport command in interface configuration mode to configure a L2 AP port as a L3 AP port. Run the
switchport command to configure a L3 AP port as a L2 AP port.
After a port is configured as a L3 routed port, L2 protocols running on the port do not take effect.
This command is applicable to a L2 AP port.
Command no switchport
Parameter De N/A
scription
Defaults By default, an AP port is a L2 AP port.
Command Interface configuration mode
1-25
Configuration Guide Configuring Interfaces
Mode
Usage Guide After entering configuration mode of a L2 AP port on a L3 device, you can run this command to configure a
L2 AP port as a L3 AP port. After entering configuration mode of a L3 AP port, you can run the switchport
command to change a L3 AP port into a L2 AP port.
Optional.
By default, the medium type of a combo port is copper.
Port flapping may occur if the configured medium type of a port changes.
This command is applicable to an Ethernet physical port or AP port.
Command medium-type { auto-select [ prefer [ fiber | copper ] ] | fiber | copper }
Parameter De auto-select: Indicates that the medium type is selected automatically.
scription prefer [ fiber | copper ]: Indicates the medium type that will be preferentially selected.
fiber: Indicates that fiber is forcibly selected as the medium type.
copper: Indicates that copper is forcibly selected as the medium type.
Defaults By default, the medium type of an interface is copper.
Command Interface configuration mode
Mode
Usage Guide Select either fiber or copper as the medium type of a port when both medium types are available. Once the
medium type is selected, all interface attributes, including the status, duplex mode, and speed, are
configured for the interface of the selected medium type. If the interface type is changed, the attributes of the
new interface type are the default attributes. You can reconfigure these attributes as required.
If you enable automatic selection of the medium type, the device uses the current medium if only one
medium is available. If both media are available, the device uses the preferred medium as configured. By
default, the preferred medium is copper. You can run the medium-type auto-select prefer fiber command
to configure fiber as the preferred media. In automatic medium selection mode, the interface adopts the
default settings of attributes, such as the speed, duplex mode, and flow control mode.
Optional.
Port flapping may occur if the configured speed of a port changes.
This command is applicable to an Ethernet physical port or AP port.
1-26
Configuration Guide Configuring Interfaces
Usage Guide If an interface is an AP member port, the speed of this interface is determined by the speed of the AP port.
When the interface exits the AP port, it uses its own speed configuration. You can run show interfaces to
display the speed configurations. The speed options available to an interface vary with the type of the
interface. For example, you cannot set the speed of an SFP interface to 10 Mbps.
Optional.
Port flapping may occur if the configured duplex mode of a port changes.
This command is applicable to an Ethernet physical port or AP port.
Command duplex { auto | full | half }
Parameter De auto: Indicates automatic switching between full duplex and half duplex.
scription full: Indicates full duplex.
half: Indicates half duplex.
Defaults By default, the duplex mode of an interface is auto.
Command Interface configuration mode
Mode
Usage Guide The duplex mode of an interface is related to the interface type. You can run show interfaces to display the
configurations of the duplex mode.
Optional.
Generally, the flow control mode of an interface is off by default. For some products, the flow control mode is on by
default.
After flow control is enabled on an interface, the flow control frames will be sent or received to adjust the data
volume when congestion occurs on the interface.
Port flapping may occur if the configured flow control mode of a port changes.
Optional.
1-27
Configuration Guide Configuring Interfaces
Port flapping may occur if the configured auto negotiation mode of a port changes.
Optional.
You can configure the MTU of a port to limit the length of a frame that can be received or sent over this port.
Optional.
Generally, the bandwidth of an interface is the same as the speed of the interface.
1-28
Configuration Guide Configuring Interfaces
Optional.
If the configured carrier delay is long, it takes a long time to change the protocol status when the physical status of an
interface changes. If the carrier delay is set to 0, the protocol status changes immediately after the physical status of an
interface changes.
Optional.
The configured load interval affects computation of the average packet rate on an interface. If the configured load
interval is short, the average packet rate can accurately reflect the changes of the real-time traffic.
Optional.
1-29
Configuration Guide Configuring Interfaces
Optional.
After this command is configured, L3 routing between protected ports are blocked.
Command protected-ports route-deny
Parameter De N/A
scription
Defaults By default, the function of blocking L3 routing between protected ports is disabled.
Command Global configuration mode
Mode
Usage Guide By default, L3 routing between protected ports is not blocked. In this case, you can run this command to
block routing between protected ports.
Optional.
By default, a port will be disabled and will not be recovered after a violation occurs. After port errdisable recovery is
configured, a port in errdisable state will be recovered and enabled.
(Optional) Run this command to enable optical module antifake detection when this function is required.
Optical module antifake detection is disabled by default, and the system does not display any alarm if a non-Ruijie
optical module is inserted. After this function is enabled, the system will display alarms for several times if a non-Ruijie
optical module is inserted.
Configuring EEE
1-30
Configuration Guide Configuring Interfaces
Optional.
Verification
Run the show interfaces command to display the attribute configurations of interfaces.
Index(dec):1 (hex):1
No IPv6 address
Ethernet attributes:
Time duration since last link state change: 3 days, 2 hours, 50 minutes, 50 seconds
1-31
Configuration Guide Configuring Interfaces
Priority is 0
Medium-type is Copper
Flow receive control admin status is OFF,flow send control admin status is OFF
Flow receive control oper status is Unknown,flow send control oper status is Unknown
Bridge attributes:
Port-type: trunk
Native vlan:1
Active vlan lists:1, 3-4 //Active VLAN list (indicating that only VLAN 1, VLAN 3, and VLAN 4 are
created on the device)
Run the show eee interfaces status command to display the EEE status of an interface.
Interface : Gi0/1
1-32
Configuration Guide Configuring Interfaces
Configuration Example
1-33
Configuration Guide Configuring Interfaces
Scenario
Figure 1-6
Configuration On Switch A, configure GigabitEthernet 0/1 as an access mode, and the default VLAN ID is 1.
Steps Configure SVI 1, assign an IP address to SVI 1, and set up a route to Switch D.
On Switch B, configure GigabitEthernet 0/1 and GigabitEthernet 0/2 as Trunk ports, and the default
VLAN ID is 1. Configure SVI 1, and assign an IP address to SVI 1. Configure GigabitEthernet 0/3 as a
routed port, and assign an IP address from another network segment to this port.
On Switch C, configure GigabitEthernet 0/1 as an Access port, and the default VLAN ID is 1. Configure
SVI 1, and assign an IP address to SVI 1.
On Switch D, configure GigabitEthernet 0/1 as a routed port, assign an IP address to this port, and set
up a route to Switch A.
A
A# configure terminal
B
B# configure terminal
1-34
Configuration Guide Configuring Interfaces
C
C# configure terminal
D
D# configure terminal
1-35
Configuration Guide Configuring Interfaces
Index(dec):1 (hex):1
Ethernet attributes:
Time duration since last link state change: 3 days, 2 hours, 50 minutes, 50 seconds
Priority is 0
Flow control admin status is OFF, flow control oper status is OFF
Bridge attributes:
Port-type: access
Vlan id: 1
1-36
Configuration Guide Configuring Interfaces
B
B# show interfaces gigabitEthernet 0/1
Index(dec):1 (hex):1
Ethernet attributes:
Time duration since last link state change: 3 days, 2 hours, 50 minutes, 50 seconds
Priority is 0
Flow control admin status is OFF, flow control oper status is OFF
Bridge attributes:
Port-type: trunk
Native vlan: 1
1-37
Configuration Guide Configuring Interfaces
C
C# show interfaces gigabitEthernet 0/1
Index(dec):1 (hex):1
Ethernet attributes:
Time duration since last link state change: 3 days, 2 hours, 50 minutes, 50 seconds
Priority is 0
Flow control admin status is OFF, flow control oper status is OFF
D
D# show interfaces gigabitEthernet 0/1
Index(dec):1 (hex):1
1-38
Configuration Guide Configuring Interfaces
Ethernet attributes:
Time duration since last link state change: 3 days, 2 hours, 50 minutes, 50 seconds
Priority is 0
Flow control admin status is OFF, flow control oper status is OFF
1.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears the counters of a specified clear counters [ interface-type interface-number ]
interface.
1-39
Configuration Guide Configuring Interfaces
Displaying
Description Command
Displays all the status and configuration show interfaces [ interface-type interface-number ]
information of a specified interface.
Displays the interface status. show interfaces [ interface-type interface-number ] status
Displays the interface errdisable status. show interfaces [ interface-type interface-number ] status err-disable
Displays the link status change time and count show interfaces [ interface-type interface-number ] link-state-change
of a specified port. statistics
Displays the administrative and operational show interfaces [ interface-type interface-number ] switchport
states of switch ports (non-routed ports).
Displays the description and status of a show interfaces [ interface-type interface-number ] description
specified interface.
Displays the counters of a specified port, show interfaces [ interface-type interface-number ] counters
among which the displayed speed may have
an error of ±0.5%.
Displays the number of packets increased in a show interfaces [ interface-type interface-number ] counters increment
load interval.
Displays statistics about error packets. show interfaces [ interface-type interface-number ] counters error
Displays the packet sending/receiving rate of show interfaces [ interface-type interface-number ] counters rate
an interface.
Displays a summary of interface information. show interfaces [ interface-type interface-number ] counters summary
Displays the line detection status. When a show interfaces [ interface-type interface-number ] line-detect
cable is short-circuited or disconnected, line
detection helps you correctly determine
the working status of the cable.
Displays the bandwidth usage of an interface. show interfaces [ interface-type interface-number ] usage
Displays the EEE status of an interface. show eee interfaces { interface-type interface-number | status }
Description Command
Displays basic information about the optical show interfaces [ interface-type interface-number ] transceiver
module of a specified interface.
Displays the fault alarms of the optical module show interfaces [ interface-type interface-number ] transceiver alarm
on a specified interface. If no fault occurs,
"None" is displayed.
Displays the optical module diagnosis values show interfaces [ interface-type interface-number ] transceiver diagnosis
of a specified interface.
1-40
Configuration Guide Configuring Interfaces
Line Detection
The administrator can run the line-detect command to check the working status of a cable. When a cable is short-circuited or
disconnected, line detection helps you determine the working status of the cable.
Only a physical port using copper as the medium supports line detection. A physical port using fiber as the medium or
an AP port does not support line detection.
When line detection is performed on an operational interface, the interface will be temporarily disconnected, and then
re-connected.
Description Command
line-detect
Performs line detection in interface
configuration mode. When a cable is
short-circuited or disconnected, line detection
helps you determine the working status of the
cable.
1-41
Configuration Guide Configuring MAC Address
2.1 Overview
A MAC address table contains the MAC addresses, interface numbers and VLAN IDs of the devices connected to the local
device.
When a device forwards a packet, it finds an output port from its MAC address table according to the destination MAC
address and the VLAN ID of the packet.
This document covers dynamic MAC addresses, static MAC addresses and filtered MAC addresses. For the
management of multicast MAC addresses, please see Configuring IGMP Snooping Configuration.
IEEE 802.3: Carrier sense multiple access with collision detection (CSMA/CD) access method and physical layer
specifications
2.2 Applications
Application Description
MAC Address Learning Forward unicast packets through MAC addresses learning.
MAC Address Change Notification Monitor change of the devices connected to a network device through MAC address
change notification.
Usually a device maintains a MAC address table by learning MAC addresses dynamically. The operating principle is
described as follows:
As shown in the following figure, the MAC address table of the switch is empty. When User A communicates with User B, it
sends a packet to the port GigabitEthernet 0/2 of the switch, and the switch learns the MAC address of User A and stores it in
the table.
As the table does not contain the MAC address of User B, the switch broadcasts the packet to the ports of all connected
devices except User A, including User B and User C.
2-1
Configuration Guide Configuring MAC Address
When User B receives the packet, it sends a reply packet to User A through port GigabitEthernet 0/3 on the switch. As the
MAC address of User A is already in the MAC address table, the switch send the reply unicast packet to port GigabitEthernet
0/2 port and learns the MAC address of User B. User C does not receive the reply packet from User B to User A.
Through the interaction between User A and User B, the switch learns the MAC addresses of User A and User B. After that,
packets between User A and User B will be exchanged via unicast without being received by User C.
Deployment
With MAC address learning, a layer-2 switch forwards packets through unicast, reducing broadcast packets and
network load.
2-2
Configuration Guide Configuring MAC Address
Scenario
After MAC address change notification is enabled on a device, the device generates a notification message when the device
learns a new MAC address or finishes aging a learned MAC address, and sends the message in an SNMP Trap message to
a specified NMS.
A notification of adding a MAC address indicates that a new user accesses the network, and that of deleting a MAC address
indicates that a user sends no packets within an aging time and usually the user exits the network.
When a network device is connected to a number of devices, a lot of MAC address changes may occur in a short time,
resulting in an increase in traffic. To reduce traffic, you may configure an interval for sending MAC address change
notifications. When the interval expires, all notifications generated during the interval are encapsulated into a message.
±When a notification is generated, it is stored in the table of historical MAC address change notifications. The administrator
may know recent MAC address changes by checking the table of notification history even without NMS.
A MAC address change notification is generated only for a dynamic MAC address.
Deployment
Enable MAC address change notification on a layer-2 switch to monitor the change of devices connected to a network
device.
2.3 Features
Basic Concepts
A dynamic MAC address is a MAC address entry generated through the process of MAC address learning by a device.
Address Aging
2-3
Configuration Guide Configuring MAC Address
A device only learns a limited number of MAC addresses, and inactive entries are deleted through address aging.
A device starts aging a MAC address when it learns it. If the device receives no packet containing the source MAC address,
it will delete the MAC address from the MAC address table when the time expires.
If a device finds in its MAC address table an entry containing the MAC address and the VLAN ID of a packet and the output
port is unique, it will send the packet through the port directly.
If a device receives a packet containing the destination address ffff.ffff.ffff or an unidentified destination address, it will send
the packet through all the ports in the VLAN where the packet is from, except the input port.
Overview
Feature Description
Dynamic Address Limit for VLAN Limit the number of dynamic MAC addresses in a VLAN.
Dynamic Address Limit for Interface Limit the number of dynamic MAC addresses on an interface.
The MAC address table with a limited capacity is shared by all VLANs. Configure the maximum number of dynamic MAC
addresses for each VLAN to prevent one single VLAN from exhausting the MAC address table space.
A VLAN can only learn a limited number of dynamic MAC addresses after the limit is configured. The packets exceeding the
limit are forwarded.User can configure the maximum MAC addresses learned by a VLAN. After the maximum number
exceeds the limit, the VLAN will stop learning MAC address, and packets will be discarded.
If the number of learned MAC addresses is greater than the limit, a device will stop learning the MAC addresses from
the VLAN and will not start learning again until the number drops below the limit after address aging.
The MAC addresses copied to a specific VLAN are not subject to the limit.
An interface can only learn a limited number of dynamic MAC addresses after the limit is configured. The packets exceeding
the limit are forwarded.
User can configure the maximum MAC addresses learned by a VLAN. After the maximum number exceeds the limit, the
VLAN will stop learning MAC address, and packets will be discarded.
If the number of learned MAC addresses is greater than the limit, a device will stop learning the MAC addresses from
the interface and will not start learning again until the number drops below the limit after address aging.
2-4
Configuration Guide Configuring MAC Address
2.4 Configuration
Configuring a Static MAC (Optional) It is used to bind the MAC address of a device with a port of a switch.
Address
mac-address-table static Configures a static MAC address.
Configuration Steps
Optional.
You can perform this configuration to disable global MAC address learning.
Configuration:
2-5
Configuration Guide Configuring MAC Address
By default, global MAC address learning is enabled. When global MAC address learning is enabled, the MAC address
learning configuration on an interface takes effect; when the function is disabled, MAC addresses cannot be learned
globally.
Optional.
You can perform this configuration to disable MAC address learning on an interface.
Configuration:
Command mac-address-learning
Parameter De N/A
scription
Defaults MAC address learning is enabled by default.
Command Interface configuration mode
Mode
Usage Guide Perform this configuration on a layer-2 interface, for example, a switch port or an AP port.
By default, MAC address learning is enabled. If DOT1X, IP SOURCE GUARD, or a port security function is configured
on a port, MAC address learning cannot be enabled. Access control cannot be enabled on a port with MAC address
learning disabled.
Optional.
Configuration:
The actual aging time may be different from the configured value, but it is not more than two times of the configured
value.
2-6
Configuration Guide Configuring MAC Address
Verification
Run the show mac-address-table dynamic command to display dynamic MAC addresses.
Run the show mac-address-table aging-time command to display the aging time for dynamic MAC addresses.
Command show mac-address-table dynamic [ address mac-address ] [ interface interface-id ] [ vlan vlan-id ]
Parameter De address mac-address: Displays the information of a specific dynamic MAC address.
scription interface interface-id: Specifies a physical interface or an AP port.
vlan vlan-id: Displays the dynamic MAC addresses in a specific VLAN.
Command Privileged EXEC mode/Global configuration mode/Interface configuration mode
Mode
Usage Guide N/A
Field Description
Vlan Indicates the VLAN where the MAC address
resides.
MAC Address Indicates a MAC Address.
Type Indicates a MAC address type.
Interface Indicates the interface where the MAC address
resides.
2-7
Configuration Guide Configuring MAC Address
Configuration Example
Scenario
Figure 2-6
Common Errors
Configure MAC address learning on an interface before configuring the interface as a layer-2 interface, for example, a switch
port or an AP port.
2-8
Configuration Guide Configuring MAC Address
Configuration Steps
Optional.
Configuration:
Verification
Run the show mac-address-table static command to check whether the configuration takes effect.
Command show mac-address-table static [ address mac-address ] [ interface interface-id ] [ vlan vlan-id ]
Parameter De address mac-address: Specifies a MAC address.
scription interface interface-id: Specifies a physical interface or an AP port.
vlan vlan-id: Specifies a VLAN where the MAC address resides.
Command Privileged EXEC mode/Global configuration mode /Interface configuration mode
Mode
Usage Guide N/A
Configuration Example
2-9
Configuration Guide Configuring MAC Address
In the above example, the relationship of MAC addresses, VLAN and interfaces is shown in the following table.
Common Errors
2-10
Configuration Guide Configuring MAC Address
Configure a static MAC address before configuring the specific port as a layer-2 interface, for example, a switch port or
an AP port.
If a device receives packets containing a source MAC address or destination MAC address specified as the filtered
MAC address, the packets are discarded.
Configuration Steps
Optional.
Configuration:
Verification
Run the show mac-address-table filter command to display the filtered MAC address.
1 0000.2222.2222 FILTER
Configuration Example
2-11
Configuration Guide Configuring MAC Address
1 00d0.f800.3232.0001 FILTER
Configuration Steps
Configuring NMS
Optional.
Perform this configuration to enable an NMS to receive MAC address change notifications.
Configuration:
Command snmp-server host host-addr traps [ version { 1 | 2c | 3 [ auth | noauth | priv ] } ] community-string
Parameter De host host-addr: Specifies the IP address of a receiver.
scription version { 1 | 2c | 3 [ auth | noauth | priv ] }: Specifies the version of SNMP TRAP messages. You can also
specify authentication and a security level for packets of Version 3.
community-string: Indicates an authentication name.
Defaults By default, the function is disabled.
Command Global configuration mode
Mode
Usage Guide N/A
Optional.
Configuration:
2-12
Configuration Guide Configuring MAC Address
Optional.
Configuration:
Optional.
Configuration:
Command
snmp trap mac-notification { added | removed }
Parameter De
added: Generates a notification when an MAC address is added.
scription
removed: Generates a notification when an MAC address is deleted.
Defaults
By default, MAC address change notification is disabled on an interface.
Command
Interface configuration mode
Mode
Usage Guide
N/A
Configuring Interval for Generating MAC Address Change Notifications and Volume of Notification History
Optional.
Perform this configuration to modify the interval for generating MAC address change notifications and the volume of
notification history.
2-13
Configuration Guide Configuring MAC Address
Configuration:
Verification
Run the show mac-address-table notification command to check whether the NMS receives MAC address change
notifications.
Interval(Sec): 300
Field Description
Interval(Sec) Indicates the interval for generating MAC address change
notifications.
Maximum History Size Indicates the maximum number of entries in the table of
notification history.
Current History Size Indicates the current notification entry number.
Configuration Example
2-14
Configuration Guide Configuring MAC Address
Scenario
Figure 2-8
The figure shows an intranet of an enterprise. Users are connected to A via port Gi0/2.
When port Gi0/2 learns a new MAC address or finishes aging a learned MAC address, a MAC address
change notification is generated.
Meanwhile, A sends the MAC address change notification in an SNMP Trap message to a specified
NMS.
In a scenario where A is connected to a number of Users, the configuration can prevent MAC address
change notification burst in a short time so as to reduce the network flow.
Configuration Enable global MAC address change notification on A, and configure MAC address change notification
Steps on port Gi0/2.
Configure the IP address of the NMS host, and enable A with SNMP Trap. A communicates with the
NMS via routing.
Configure the interval for sending MAC address change notifications to 300 seconds (1 second by
default).
A
Ruijie# configure terminal
2-15
Configuration Guide Configuring MAC Address
Interval(Sec): 300
Interval(Sec): 300
History Index : 0
2-16
Configuration Guide Configuring MAC Address
Notes
None
Configuration Steps
Optional
Parameter De count: Indicates the maximum number of MAC addresses learned by a port.
scription
Defaults By default, the number of MAC addresses learned by a port is not limited. After the number of MAC
addresses learned by a port is limited and after the maximum number of MAC addresses exceeds the limit,
packets from source MAC addresses are forwarded by default.
Command Interface configuration mode
Mode
Usage Guide
Verification
Configuration Example
Common Errors
None
2-17
Configuration Guide Configuring MAC Address
2.5 Monitoring
Clearing
Running the clear commands may lose vital information and interrupt services.
Description Command
Clears dynamic MAC addresses. clear mac-address-table dynamic [ address mac-address ] [ interface interface-id ]
[ vlan vlan-id ]
Displaying
Description Command
Displays the MAC address table. show mac-address-table { dynamic | static | filter } [ address mac-address ]
[ interface interface-id ] [ vlan vlan-id ]
Displays the aging time for dynamic show mac-address-table aging-time
MAC addresses.
Displays the maximum number of show mac-address-table max-dynamic-mac-count
dynamic MAC addresses.
Displays the configuration and history show mac-address-table notification [ interface [ interface-id ] | history ]
of MAC address change notifications.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs MAC address operation. debug bridge mac
2-18
Configuration Guide Configuring Aggregated Port
3.1 Overview
An aggregated port (AP) is used to bundle multiple physical links into one logical link to increase the link bandwidth and
improve connection reliability.
An AP port supports load balancing, namely, distributes load evenly among member links. Besides, an AP port realizes link
backup. When a member link of the AP port is disconnected, the load carried by the link is automatically allocated to other
functional member links. A member link does not forward broadcast or multicast packets to other member links.
For example, the link between two devices supports a maximum bandwidth of 1,000 Mbps. When the service traffic carried
by the link exceeds 1,000 Mbps, the traffic in excess will be discarded. Port aggregation can be used to solve the problem.
For example, you can connect the two devices with network cables and combine multiple links to form a logical link capable
of multiples of 1,000 Mbps.
For example, there are two devices connected by a network cable. When the link between the two ports of the devices is
disconnected, the services carried by the link will be interrupted. After the connected ports are aggregated, the services will
not be affected as long as one link remains connected.
IEEE 802.3ad
3.2 Applications
Applications Description
AP Link Aggregation and Load A large number of packets are transmitted between an aggregation device and a core
Balancing device, which requires a greater bandwidth. To meet this requirement, you can bundle
the physical links between the devices into one logical link to increase the link
bandwidth, and configure a proper load balancing algorithm to distribute the work load
evenly to each physical link, thus improving bandwidth utilization.
In Figure 3-1, the switch communicates with the router through an AP port. All the devices on the intranet (such as the two
PCs on the left) use the router as a gateway. All the devices on the extranet (such as the two PCs on the right) send packets
to the internet devices through the router, with the gateway’s MAC address as its source MAC address. To distribute the load
between the router and other hosts to other links, configure destination MAC address-based load balancing. On the switch,
configure source MAC address-based load balancing.
3-1
Configuration Guide Configuring Aggregated Port
Deployment
Configure the directly connected ports between the switch and router as a static AP port or a Link Aggregation Control
Protocol (LACP) AP port.
3.3 Features
Basic Concepts
Static AP
The static AP mode is an aggregation mode in which physical ports are directly added to an AP aggregation group through
manual configuration to allow the physical ports to forward packets when the ports are proper in link state and protocol state.
An AP port in static AP mode is called a static AP, and its member ports are called static AP member ports.
LACP
LACP is a protocol about dynamic link aggregation. It exchanges information with the connected device through LACP data
units (LACPDUs).
An AP port in LACP mode is called an LACP AP port, and its member ports are called LACP AP member ports.
There are three aggregation modes available, namely, active, passive, and static.
AP member ports in active mode initiate LACP negotiation. AP member ports in passive mode only respond to received
LACPDUs. AP member ports in static mode do not send LACPDUs for negotiation. The following table lists the requirements
for peer port mode.
3-2
Configuration Guide Configuring Aggregated Port
When a member port is Down, the port cannot forward packets. The Down state is displayed.
When a member port is Up and the link protocol is ready, the port can forward packets. The Up state is displayed.
When the link of a port is Down, the port cannot forward packets. The Down state is displayed.
When the link of a port is Up and the port is added to an aggregation group, the bndl state is displayed.
When the link of a port is Up but the port is suspended because the peer end is not enabled with LACP or the attributes
of the ports are inconsistent with those of the master port, the susp state is displayed. (The port in susp state does not
forward packets.)
LACP aggregation can be implemented only when the rates, flow control approaches, medium types, and Layer-2/3
attributes of member ports are consistent.
If you modify the preceding attributes of a member port in the aggregation group, LACP aggregation will fail.
The ports which are prohibited from joining or exiting an AP port cannot be added to or removed from a static AP port
or an LACP AP port.
LACP System ID
One device can be configured with only one LACP aggregation system. The system is identified by a system ID and each
system has a priority, which is a configurable value. The system ID consists of the LACP system priority and MAC address of
the device. A lower system priority indicates a higher priority of the system ID. If the system priorities are the same, a smaller
MAC address of the device indicates a higher priority of the system ID. The system with an ID of a higher priority determines
the port state. The port state of a system with an ID of a lower priority keeps consistent with that of a higher priority.
LACP Port ID
Each port has an independent LACP port priority, which is a configurable value. The port ID consists of the LACP port priority
and port number. A smaller port priority indicates a higher priority of the port ID. If the port priorities are the same, a smaller
port number indicates a higher priority of the port ID.
When dynamic member ports are Up, LACP selects one of those ports to be the master port based on the rates and duplex
modes, ID priorities of the ports in the aggregation group, and the bundling state of the member ports in the Up state. Only
the ports that have the same attributes as the master port are in Bundle state and participate in data forwarding. When the
attributes of ports are changed, LACP reselects a master port. When the new master port is not in Bundle state, LACP
disaggregates the member ports and performs aggregation again.
3-3
Configuration Guide Configuring Aggregated Port
Overview
Overview Description
Link Aggregation Aggregates physical links statically or dynamically to realize bandwidth extension and link backup.
Load Balancing Balances the load within an aggregation group flexibly by using different load balancing methods.
There are two kinds of AP link aggregation. One is static AP, and the other is dynamic aggregation through LACP.
Static AP
The static AP configuration is simple. Run a command to add the specified physical port to the AP port. After joining the
aggregation group, a member port can receive and transmit data and participate in load balancing within the group.
Dynamic AP (LACP)
An LACP-enabled port sends LACPDUs to advertise its system priority, system MAC address, port priority, port number, and
operation key. When receiving the LACPDU from the peer end, the device compares the system priorities of both ends based
on the system ID in the packet. The end with a higher system ID priority sets the ports in the aggregation group to Bundle
state based on the port ID priorities in a descending order, and sends an updated LACPDU. When receiving the LACPDU,
the peer end sets corresponding ports to Bundle state so that both ends maintain consistency when a port exits or joins the
aggregation group. The physical link can forward packets only after the ports at both ends are bundled dynamically.
After link aggregation, the LACP member ports periodically exchange LACPDUs. When a port does not receive an LACPDU
in the specified time, a timeout occurs and the links are unbundled. In this case, the member ports cannot forward packets.
There are two timeout modes: long timeout and short timeout. In long timeout mode, a port sends a packet every 30s. If it
does not receive a packet from the peer end in 90s, a timeout occurs. In short timeout mode, a port sends a packet every 1s.
If it does not receive a packet from the peer end in 3s, a timeout occurs.
In Figure 3-2, Switch A is connected to Switch B through three ports. Set the system priorities of Switch A and Switch B to
61440 and 4096 respectively. Enable LACP on the Ports 1–6, set the aggregation mode to the active mode, and set the port
priority to the default value 32768.
When receiving an LACPDU from Switch A, Switch B finds that it has a higher system ID priority than Switch A (the system
priority of Switch B is higher than that of Switch A). Switch B sets Port 4, Port 5, and Port 6 to Bundle state based on the
order of port ID priorities (or in an ascending order of port numbers if the port priorities are the same). When receiving an
3-4
Configuration Guide Configuring Aggregated Port
updated LACPDU from Switch B, Switch A finds that Switch B has a higher system ID priority and has set Port 4, Port 5, and
Port 6 to Bundle state. Then Switch A also sets Port 1, Port 2, and Port 3 to Bundle state.
AP ports segregate packet flows by using load balancing algorithms based on packet features, such as the source and
destination MAC addresses, source and destination IP addresses, and Layer-4 source and destination port numbers. The
packet flow with the consistent feature is transmitted by one member link, and different packet flows are evenly distributed to
member links. For example, in source MAC address-based load balancing, packets are distributed to the member links
based on the source MAC addresses of the packets. Packets with different source MAC addresses are evenly distributed to
member links. Packets with the identical source MAC address are forwarded by one member link.
Load balancing based on IP addresses or port numbers is applicable only to Layer-3 packets. When a device
enabled with this load balancing method receives Layer-2 packets, it automatically switches to the default load
balancing method.
All the load balancing methods use a load algorithm to calculate the member links based on the input parameters of the
methods. The input parameters include the source MAC address, destination MAC address, source MAC address +
destination MAC address, source IP address, destination IP address, source IP address + destination IP addresses,
source IP address + destination IP address + Layer-4 port number and so on. The algorithm ensures that packets with
different input parameters are evenly distributed to member links. It does not indicate that these packets are always
distributed to different member links. For example, in IP address-based load balancing, two packets with different
source and destination IP addresses may be distributed to the same member link through calculation.
3.4 Configuration
3-5
Configuration Guide Configuring Aggregated Port
The bandwidth of the aggregation link is equal to the sum of the member link bandwidths.
When a member link of the AP port is disconnected, the load carried by the link is automatically allocated to other
functional member links.
Notes
The ports of different media types or port modes cannot be added to the same AP port.
Layer-2 ports can be added to only a Layer-2 AP port, and Layer-3 ports can be added to only a Layer-3 AP port. The
Layer-2/3 attributes of an AP port that contains member ports cannot be modified.
After a port is added to an AP port, the attributes of the port are replaced by those of the AP port.
After a port is removed from an AP port, the attributes of the port are restored.
After a port is added to an AP port, the attributes of the port are consistent with those of the AP port. Therefore, do not
perform configuration on the AP member ports or apply configuration to a specific AP member port. However, some
configurations (the shutdown and no shutdown commands) can be configured on AP member ports. When you use
AP member ports, check whether the function that you want to configure can take effect on a specific AP member port,
and perform this configuration properly.
Configuration Steps
3-6
Configuration Guide Configuring Aggregated Port
Mandatory.
Run port-group to add a physical port to a static AP port in interface configuration mode. If the AP port does not exist,
it will be created automatically.
Run port-group mode to add a physical port to an LACP AP port in interface configuration mode. If the AP port does not
exist, it will be created automatically.
The AP feature must be configured on the devices at both ends of a link and the AP mode must be the same (static AP
or LACP AP).
Mandatory.
The static AP member ports configured on the devices at both ends of a link must be consistent.
After a member port exits the AP port, the default settings of the member port are restored. Different functions deal with
the default settings of the member ports differently. It is recommended that you check and confirm the port settings after
a member port exits an AP port.
After a member port exits an AP port, the port is disabled by using the shutdown command to avoid loops. After you
confirm that the topology is normal, run no shutdown in interface configuration mode to enable the port again.
Optional.
3-7
Configuration Guide Configuring Aggregated Port
When you need to enable Layer-3 routing on an AP port, for example, to configure IP addresses or static route entries,
convert the Layer-2 AP port to a Layer-3 AP port and enable routing on the Layer-3 AP port.
Perform this configuration on AP-enabled devices that support Layer-2 and Layer-3 features.
Command no switchport
Parameter N/A
Description
Defaults By default, the AP ports are Layer-2 AP ports.
Command Mode Interface configuration mode of the specified AP port
Usage Guide The Layer-3 AP feature is supported by only Layer-3 devices.
The AP port created on a Layer-3 device that does not support Layer-2 feature is a Layer-3 AP port. Otherwise, the AP
port is a Layer-2 AP port.
Verification
Configuration Example
Scenario
Figure 3-3
Configuration Add the GigabitEthernet 1/1 and GigabitEthernet 1/2 ports on Switch A to static AP port 3.
Steps Add the GigabitEthernet 2/1 and GigabitEthernet 2/2 ports on Switch B to static AP port 3.
3-8
Configuration Guide Configuring Aggregated Port
Switch A
SwitchA# configure terminal
SwitchA(config-if-range)# port-group 3
Switch B
SwitchB# configure terminal
SwitchB(config-if-range)# port-group 3
Verification Run show aggregateport summary to check whether AP port 3 contains member ports
GigabitEthernet 1/1 and GigabitEthernet 1/2.
Switch A
SwitchA# show aggregateport summary
Switch B
SwitchB# show aggregateport summary
Connected devices perform autonegotiation through LACP to realize dynamic link aggregation.
The bandwidth of the aggregation link is equal to the sum of the member link bandwidths.
When a member link of the AP port is disconnected, the load carried by the link is automatically allocated to other
functional member links.
It takes LACP 90s to detect a link failure in long timeout mode and 3s in short timeout mode.
Notes
After a port exits an LACP AP port, the default settings of the port may be restored. Different functions deal with the
default settings of the member ports differently. It is recommended that you check and confirm the port settings after a
member port exits an LACP AP port.
Changing the LACP system priority may cause LACP member ports to be disaggregated and aggregated again.
Changing the priority of an LACP member port may cause the other member ports to be disaggregated and aggregated
again.
3-9
Configuration Guide Configuring Aggregated Port
Configuration Steps
Mandatory.
The LACP member port configuration at both ends of a link must be consistent.
Optional.
Perform this configuration when you need to adjust the system ID priority. A smaller value indicates a higher system ID
priority. The device with a higher system ID priority selects an AP port.
Optional.
Perform this configuration when you need to specify the port ID priority. A smaller value indicates a higher port ID
priority. The port with the highest port ID priority will be selected as the master port.
3-10
Configuration Guide Configuring Aggregated Port
Description
Defaults By default, the priority of an LACP member port is 32768.
Command Interface configuration mode of the specified physical port
Mode
Usage Guide Use this command in global configuration mode to configure the priority of an LACP member port. To restore
the settings, run no lacp port-priority in interface configuration mode.
Optional.
When you need to implement real-time link failure detection, configure the short timeout mode. It takes LACP 90s to
detect a link failure in long timeout mode and 3s in short timeout mode.
Verification
Aggregated port 3:
Local information:
3-11
Configuration Guide Configuring Aggregated Port
-------------------------------------------------------------------
Partner information:
--------------------------------------------------------------------
Configuration Example
Configuring LACP
Scenario
Figure 3-4
3-12
Configuration Guide Configuring Aggregated Port
SwitchA(config-if-range)# end
Switch B
SwitchB# configure terminal
SwitchB(config-if-range)# end
Verification Run show lacp summary 3 to check whether LACP AP port 3 contains member ports
GigabitEthernet2/1 and GigabitEthernet2/2.
Switch A
SwitchA# show LACP summary 3
Aggregated port 3:
Local information:
---------------------------------------------------------------------
Partner information:
--------------------------------------------------------------------
Switch B
SwitchB# show LACP summary 3
3-13
Configuration Guide Configuring Aggregated Port
Aggregated port 3:
Local information:
---------------------------------------------------------------------
Partner information:
--------------------------------------------------------------------
3-14
Configuration Guide Configuring Aggregated Port
Enable the system with LinkTrap to send LinkTrap messages when aggregation links are changed.
Configuration Steps
Optional.
Enable LinkTrap in interface configuration mode. By default, LinkTrap is enabled. LinkTrap messages are sent when
the link state or protocol state of the AP port is changed.
Optional.
3-15
Configuration Guide Configuring Aggregated Port
Verification
After LinkTrap is enabled, you can monitor this feature on AP ports or their member ports by using the MIB software.
Configuration Example
Scenario
Figure 3-5
Configuration Add the GigabitEthernet 1/1 and GigabitEthernet 1/2 ports on Switch A to static AP port 3.
Steps Add the GigabitEthernet 2/1 and GigabitEthernet 2/2 ports on Switch B to static AP port 3.
On Switch A, disable LinkTrap for AP port 3 and enable LinkTrap for its member ports.
On Switch B, disable LinkTrap for AP port 3 and enable LinkTrap its AP member ports.
Switch A
SwitchA# configure terminal
SwitchA(config-if-range)# port-group 3
SwitchA(config-if-range)# exit
Switch B
SwitchB# configure terminal
SwitchB(config-if-range)# port-group 3
SwitchB(config-if-range)# exit
Verification Run show running to check whether LinkTrap is enabled for AP port 3 and its member ports.
Switch A
SwitchA# show run | include AggregatePort 3
3-16
Configuration Guide Configuring Aggregated Port
Building configuration...
interface AggregatePort 3
Switch B
SwitchB# show run | include AggregatePort 3
Building configuration...
interface AggregatePort 3
The system distributes incoming packets among member links by using the specified load balancing algorithm. The packet
flow with the consistent feature is transmitted by one member link, whereas different packet flows are evenly distributed to
various links. A device enabled with enhanced load balancing first determines the type of packets to be transmitted and
performs load balancing based on the specified fields in the packets. For example, the AP port performs source IP-based
load balancing on the packets containing an ever-changing source IPv4 address.
Notes
N/A
Configuration Steps
(Optional) Perform this configuration when you need to optimize load balancing.
3-17
Configuration Guide Configuring Aggregated Port
dst-ip: Indicates that load is distributed based on the destination IP addresses of incoming packets.
src-ip: Indicates that load is distributed based on the source IP addresses of incoming packets.
src-dst-mac: Indicates that load is distributed based on source and destination MAC addresses of incoming
packets.
Defaults Load balancing can be based on source and destination MAC addresses, source and destination IP
addresses (applicable to gateways), or the profile of enhanced load balancing (applicable to switches with
CB line cards).
Command Global configuration mode
Mode
Usage Guide To restore the default settings, run no aggregateport load-balance in global configuration mode.
You can run aggregateport load-balance in interface configuration mode of an AP port on devices that
support load balancing configuration on a specific AP port. The configuration in interface configuration mode
prevails. To disable the load balancing algorithm, run no aggregateport load-balance in interface
configuration mode of the AP port. After that, the load balancing algorithm configured in global configuration
mode takes effect.
You can run aggregateport load-balance in interface configuration mode of an AP port on devices
that support load balancing configuration on a specific AP port.
Verification
Run show aggregateport load-balance to display the load balancing configuration. If a device supports load balancing
configuration on a specific AP port, run show aggregateport summary to display the configuration.
Configuration Example
3-18
Configuration Guide Configuring Aggregated Port
Scenario
Figure 3-6
Configuration Add the GigabitEthernet 1/1 and GigabitEthernet 1/2 ports on Switch A to static AP port 3.
Steps Add the GigabitEthernet 2/1 and GigabitEthernet 2/2 ports on Switch B to static AP port 3.
On Switch A, configure source MAC address-based load balancing for AP port 3 in global configuration
mode.
On Switch B, configure destination MAC address-based load balancing for AP port 3 in global
configuration mode.
Switch A
SwitchA# configure terminal
SwitchA(config-if-range)# port-group 3
SwitchA(config-if-range)# exit
Switch B
SwitchB# configure terminal
SwitchB(config-if-range)# port-group 3
SwitchB(config-if-range)# exit
Verification Run show aggregateport load-balance to check the load balancing algorithm configuration.
Switch A
SwitchA# show aggregatePort load-balance
Switch B
SwitchB# show aggregatePort load-balance
Common Errors
3-19
Configuration Guide Configuring Aggregated Port
3.5 Monitoring
Displaying
Description Command
Displays the configuration of an show load-balance-profile [ profile-name ]
enhanced load balancing profile.
Displays the LACP aggregation state. show lacp summary [ key-numebr ]
You can display the information on a
specified LACP AP port by specifying
key-number.
Displays the summary or load show aggregateport [ ap-number ] { load-balance | summary }
balancing algorithm of an AP port.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs an AP port. debug lsm ap
Debugs LACP. debug lacp { packet | event | database | ha | realtime | stm | timer | all}
3-20
Configuration Guide Configuring VLAN
4 Configuring VLAN
4.1 Overview
A Virtual Local Area Network (VLAN) is a logical network created based on a physical network. A VLAN can be categorized
into Layer-2 networks of the OSI model.
A VLAN has the same properties as a common LAN, except for physical location limitation. Unicast, broadcast and multicast
frames of Layer 2 are forwarded and transmitted within a VLAN, keeping traffic segregated.
We may define a port as a member of a VLAN, and all terminals connected to this port are parts of a virtual network that
supports multiple VLANs. You do not need to adjust the network physically when adding, removing and modifying users.
Communication among VLANs is realized through Layer-3 devices, as shown in the following figure.
Figure 4-1
IEEE 802.1Q
4.2 Applications
Application Description
Isolating VLANs at Layer 2 and An intranet is divided into multiple VLANs, realizing Layer-2 isolation and Layer-3
Interconnecting VLANs at Layer 3 interconnection with each other through IP forwarding by core switches.
4-1
Configuration Guide Configuring VLAN
An intranet is divided into VLAN 10, VLAN 20 and VLAN 30, realizing Layer-2 isolation from each other. The three VLANs
correspond respectively to the IP sub-networks 192.168.10.0/24, 192.168.20.0/24, and 192.168.30.0/24, realizing
interconnection with each other through IP forwarding by Layer-3 core switches.
Figure 4-2
Deployment
Divide an intranet into multiple VLANs to realize Layer-2 isolation among them.
4-2
Configuration Guide Configuring VLAN
4.3 Features
Basic Concepts
VLAN
A VLAN is a logical network created based on a physical network. A VLAN has the same properties as a common LAN,
except for physical location limitation. Unicast, broadcast and multicast frames of Layer 2 are forwarded and
transmitted within a VLAN, keeping traffic segregated.
The VLANs supported by Ruijie products comply with the IEEE802.1Q standard. A maximum of 4094 VLANs (VLAN ID
1-4094) are supported, among which VLAN 1 cannot be deleted.
In case of insufficient hardware resources, the system returns information on VLAN creation failure.
Port Mode
You can determine the frames allowed to pass a port and the VLANs which the port belongs to by configuring the port mode.
See the following table for details.
Overview
Feature Description
VLAN VLAN helps realize Layer-2 isolation.
4.3.1 VLAN
Every VLAN has an independent broadcast domain, and different VLANs are isolated on Layer 2.
Working Principle
Every VLAN has an independent broadcast domain, and different VLANs are isolated on Layer 2.
Layer-2 isolation: If no SVIs are configured for VLANs, VLANs are isolated on Layer 2. This means users in these VLANs
cannot communicate with each other.
4-3
Configuration Guide Configuring VLAN
Layer-3 interconnection: If SVIs are configured on a Layer-3 switch for VLANs, these VLANs can communicate with each
other on Layer 3.
4.4 Configuration
(Optional) It is used to configure an Access port to transmit the flows from a single VLAN.
Configuring a Hybrid Port (Optional) It is used to transmit the frames of multiple VLANs untagged.
4-4
Configuration Guide Configuring VLAN
A VLAN is identified by a VLAN ID. You may add, delete, modify VLANs 2 to 4094, but VLAN 1 is created automatically
and cannot be deleted. You may configure the port mode, and add or remove a VLAN.
Notes
N/A
Configuration Steps
Mandatory.
In case of insufficient hardware resources, the system returns information on VLAN creation failure.
Use the vlan vlan-id command to create a VLAN or enter VLAN mode.
Configuration:
Renaming a VLAN
Optional.
You cannot rename a VLAN the same as the default name of another VLAN.
Configuration:
4-5
Configuration Guide Configuring VLAN
Optional.
Use the switchport mode access command to specify Layer-2 ports (switch ports) as Access ports.
Use the switchport access vlan vlan-id command to add an Access port to a specific VLAN so that the flows from the
VLAN can be transmitted through the port.
Configuration:
4-6
Configuration Guide Configuring VLAN
Optional.
This command takes effect only on an Access port. After an Access port is added to a VLAN, the flows of the VLAN can
be transmitted through the port.
Configuration:
For the two commands of adding a port to a VLAN, the command configured later will overwrite the other one.
Verification
Send untagged packets to an Access port, and they are broadcast within the VLAN.
Use commands show vlan and show interface switchport to check whether the configuration takes effect.
Command show vlan [ id vlan-id ]
Parameter De vlan-id : indicates a VLAN ID.
scription
Command Any mode
Mode
Usage Guide N/A
Command Di Ruijie(config-vlan)#show vlan id 20
splay VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------------
20 VLAN0020 STATIC Gi0/1
Configuration Example
4-7
Configuration Guide Configuring VLAN
Ruijie(config-vlan)#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------------
1 VLAN0001 STATIC
20 VLAN0020 STATIC Gi0/3
888 test888 STATIC
Ruijie(config-vlan)#
A Trunk is a point-to-point link connecting one Ethernet interface or multiple ones to other network devices (for example, a
router or switch) and it may transmit the flows from multiple VLANs.
The Trunk of Ruije devices adopts the 802.1Q encapsulation standard. The following figure displays a network adopting a
Trunk connection.
4-8
Configuration Guide Configuring VLAN
Figure 4-3
You may configure an Ethernet port or Aggregate Port (See Configuring Aggregate Port for details) as a Trunk port.
You should specify a native VLAN for a Trunk port. The untagged packets received by and sent from the Trunk port are
considered to belong to the native VLAN. The default VLAN ID (PVID in the IEEE 802.1Q) of this Trunk port is the native
VLAN ID. Meanwhile, frames of the native VLAN sent via the Trunk are untagged. The default native VLAN of a Trunk port is
VLAN 1.
When configuring a Trunk link, make sure the Trunk ports at the two ends of the link adopt the same native VLAN.
Configuration Steps
Mandatory.
Configuration:
Optional.
By default, a trunk port transmits the flows from all the VLANs (1 to 4094). You may configure a list of allowed-VLANs to
prohibit flows of some VLANs from passing through a Trunk port.
4-9
Configuration Guide Configuring VLAN
Configuration:
Command switchport trunk allowed vlan { all | [add | remove | except | only ] } vlan-list
Parameter De The parameter vlan-list can be a VLAN or some VLANs, and the VLAN IDs are connected by "-" in order. For
scription example: 10–20.
all indicates allowed-VLANs include all VLANs;
add indicates adding a specific VLAN to the list of allowed-VLANs;
remove indicates removing a specific VLAN from the list of allowed-VLANs;
except indicates adding all VLANs except those in the listed VLAN to the list of allowed-VLANs.
only indicates adding the listed VLANs to the list of allowed-VLANs, and removing the other VLANs from the
list.
Defaults The Trunk port and the Uplink port belong to all VLANs.
Command Interface configuration mode
Mode
Usage Guide To restore the configuration on a Trunk port to defaults (all), use the no switchport trunk allowed vlan
command.
Optional.
A Trunk port receives and sends tagged or untagged 802.1Q frames. Untagged frames transmit the flows from the
native VLAN. The default native VLAN is VLAN 1.
If a frame carries the VLAN ID of a native VLAN, its tag will be stripped automatically when it passes a Trunk port.
Configuration:
When you set the native VLAN of a port to a non-existent VLAN, this VLAN will not be created automatically. Besides,
the native VLAN can be out of the list of allowed-VLANs for this port. In this case, the flows from the native VLAN cannot
pass through the port.
Verification
Send tag packets to a Trunk port, and they are broadcast within the specified VLANs.
4-10
Configuration Guide Configuring VLAN
Use commands show vlan and show interface switchport to check whether the configuration takes effect.
Configuration Example
Scenario
Figure 4-4
4-11
Configuration Guide Configuring VLAN
Switch A.
D D#configure terminal
D(config)#vlan 10
D(config-vlan)#vlan 20
D(config-vlan)#vlan 30
D(config-vlan)#exit
D(config)#interface range GigabitEthernet 0/2-4
D(config-if-range)#switchport mode trunk
D(config-if-range)#exit
D(config)#interface GigabitEthernet 0/2
D(config-if-GigabitEthernet 0/2)#switchport trunk allowed vlan remove 1-4094
D(config-if-GigabitEthernet 0/2)#switchport trunk allowed vlan add 10,20
D(config-if-GigabitEthernet 0/2)#interface GigabitEthernet 0/3
D(config-if-GigabitEthernet 0/3)#switchport trunk allowed vlan remove 1-4094
D(config-if-GigabitEthernet 0/3)#switchport trunk allowed vlan add 10,20,30
D(config-if-GigabitEthernet 0/3)#interface GigabitEthernet 0/4
D(config-if-GigabitEthernet 0/4)#switchport trunk allowed vlan remove 1-4094
D(config-if-GigabitEthernet 0/4)#switchport trunk allowed vlan add 20,30
D#configure terminal
D(config)#interface vlan 10
D(config-if-VLAN 10)#ip address 192.168.10.1 255.255.255.0
D(config-if-VLAN 10)#interface vlan 20
D(config-if-VLAN 20)#ip address 192.168.20.1 255.255.255.0
D(config-if-VLAN 20)#interface vlan 30
D(config-if-VLAN 30)#ip address 192.168.30.1 255.255.255.0
D(config-if-VLAN 30)#exit
A A#configure terminal
A(config)#vlan 10
A(config-vlan)#vlan 20
A(config-vlan)#exit
A(config)#interface range GigabitEthernet 0/2-12
A(config-if-range)#switchport mode access
A(config-if-range)#switchport access vlan 10
A(config-if-range)#interface range GigabitEthernet 0/13-24
A(config-if-range)#switchport mode access
A(config-if-range)#switchport access vlan 20
A(config-if-range)#exit
A(config)#interface GigabitEthernet 0/1
A(config-if-GigabitEthernet 0/1)#switchport mode trunk
4-12
Configuration Guide Configuring VLAN
Display VLAN information including VLAN IDs, VLAN names, status and involved ports.
Display the status of ports Gi 0/2, Gi 0/3 and Gi 0/4.
D D#show vlan
VLAN Name Status Ports
---- -------- -------- -------------------------------
1 VLAN0001 STATIC Gi0/1, Gi0/5, Gi0/6, Gi0/7
Gi0/8, Gi0/9, Gi0/10, Gi0/11
Gi0/12, Gi0/13, Gi0/14, Gi0/15
Gi0/16, Gi0/17, Gi0/18, Gi0/19
Gi0/20, Gi0/21, Gi0/22, Gi0/23
Gi0/24
10 VLAN0010 STATIC Gi0/2, Gi0/3
20 VLAN0020 STATIC Gi0/2, Gi0/3, Gi0/4
30 VLAN0030 STATIC Gi0/3, Gi0/4
D#show interface GigabitEthernet 0/2 switchport
Interface Switchport Mode Access Native Protected VLAN lists
-------------------------------- ---------- --------- ------ ------ --------- --------------
GigabitEthernet 0/2 enabled TRUNK 1 1 Disabled 10,20
D#show interface GigabitEthernet 0/3 switchport
Interface Switchport Mode Access Native Protected VLAN lists
-------------------------------- ---------- --------- ------ ------ --------- --------------
GigabitEthernet 0/3 enabled TRUNK 1 1 Disabled 10,20,30
D#show interface GigabitEthernet 0/4 switchport
Interface Switchport Mode Access Native Protected VLAN lists
-------------------------------- ---------- --------- ------ ------ --------- --------------
GigabitEthernet 0/4 enabled TRUNK 1 1 Disabled 20,30
Common Errors
N/A
An Uplink port is usually used in QinQ (the IEEE 802.1ad standard) environment, and is similar to a Trunk port. Their
difference is that an Uplink port only transmits tagged frames while a Trunk port sends untagged frames of the native
VLAN.
Configuration Steps
Mandatory.
4-13
Configuration Guide Configuring VLAN
Configure an Uplink port to transmit the flows from multiple VLANS, but only tagged frames can be transmitted.
Configuration:
Optional.
You may configure a list of allowed-VLANs to prohibit flows of some VLANs from passing through an Uplink port.
Configuration:
Command switchport trunk allowed vlan { all | [ add | remove | except | only ] } vlan-list
Parameter De The parameter vlan-list can be a VLAN or some VLANs, and the VLAN IDs are connected by "-" in order. For
scription example:
10–20.
all indicates allowed-VLANs include all VLANs;
add indicates adding a specific VLAN to the list of allowed-VLANs;
remove indicates removing a specific VLAN from the list of allowed-VLANs;
except indicates adding all VLANs except those in the listed VLAN to the list of allowed-VLANs; and
only indicates adding the listed VLANs to the list of allowed-VLANs, and removing the other VLANs from the
list.
Command Interface configuration mode
Mode
Usage Guide To restore the allowed-VLANs to defaults (all), use the no switchport trunk allowed vlan command.
Optional.
If a frame carries the VLAN ID of a native VLAN, its tag will not be stripped when it passes an Uplink port. This is
contrary to a Trunk port.
Configuration:
4-14
Configuration Guide Configuring VLAN
Usage Guide To restore the native VLAN of an Uplink to defaults, use the no switchport trunk native vlan command.
Verification
Send tag packets to an Uplink port, and they are broadcast within the specified VLANs.
Use commands show vlan and show interface switchport to check whether the configuration takes effect.
Configuration Example
Verification
Check whether the configuration is correct.
A Hybrid port is usually used in SHARE VLAN environment. By default, a Hybrid port is the same as a Trunk port. Their
difference is that a Hybrid port can send the frames from the VLANs except the default VLAN in the untagged format.
4-15
Configuration Guide Configuring VLAN
Configuration Steps
Mandatory.
Configuration:
Optional.
By default, a Hybrid port transmits the flows from all the VLANs (1 to 4094). You may configure a list of allowed-VLANs
to prohibit flows of some VLANs from passing through a Hybrid port.
Configuration:
Command switchport hybrid allowed vlan [ [add | only ] tagged | [ add ] untaged | remove ] vlan_list
Parameter De vlan-id: indicates a VLAN ID.
scription
Defaults By default a Hybrid port belongs to all VLANs. The port is added to the default VLAN in untagged form and
to the other VLANs in the tagged form.
Command Interface configuration mode
Mode
Usage Guide N/A
Optional.
If a frame carries the VLAN ID of a native VLAN, its tag will be stripped automatically when it passes a Hybrid port.
Configuration:
4-16
Configuration Guide Configuring VLAN
Mode
Usage Guide To restore the native VLAN of a Hybrid port to defaults, use the no switchport hybrid native vlan
command.
Verification
Send tagged packets to an Hybrid port, and they are broadcast within the specified VLANs.
Use commands show vlan and show interface switchport to check whether the configuration takes effect.
Configuration Example
Verification
Check whether the configuration is correct.
Building configuration...
Current configuration : 166 bytes
4-17
Configuration Guide Configuring VLAN
4.5 Monitoring
Displaying
Description Command
Debugging
System resources are occupied when debugging information is output. Disable the debugging switch immediately after
use.
Description Command
Debugs debug bridge vlan
VLANs.
4-18
Configuration Guide Configuring MAC VLAN
5.1 Overview
The MAC VLAN function refers to assigning VLANs based on MAC addresses, which is a new method of VLAN assignment.
This function is often used with 802.1Xdynamic VLAN assignment to implement secure and flexible access of
802.1Xterminals. After an 802.1Xuser passes authentication, the access switch automatically generates a MAC VLAN entry
based on the VLAN and user MAC address pushed by the authentication server. A network administrator can also configure
the association between a MAC address and a VLAN on the switch in advance.
Protocols
5.2 Applications
Application Description
Configuring MAC VLAN Configures the MAC VLAN function to assign VLANs based on users’ MAC
addresses. When the physical location of a user changes, i.e. switching from one
switch to another, it is unnecessary to re-configure the VLAN of the port used by the
user.
With popularization of mobile office, terminal devices usually do not use fixed ports for network access. A terminal device
may use port A to access the network this time, but use port B to access the network next time. If the VLAN configurations of
ports A and B are different, the terminal device will be assigned to a different VLAN in the second access, and fail to use the
resources of the previous VLAN. If the VLAN configurations of ports A and B are the same, security issues may be
introduced when port B is assigned to other terminal devices. How to allow hosts of different VLANs to access the network on
the same port? The MAC VLAN function is hereby introduced.
The biggest advantage of MAC VLAN lies in that when the physical location of a user changes, i.e. switching from one switch
to another, it is unnecessary to re-configure the VLAN of the port used by the user. Therefore, MAC address-based VLAN
assignment can be regarded as user-based.
Deployment
Configure or push MAC VLAN entries on a layer-2 switch or wireless device to assign VLANs based on users’ MAC
addresses.
5-1
Configuration Guide Configuring MAC VLAN
5.3 Overview
Feature
Feature Description
Configuring MAC VLAN Configures the MAC VLAN function to assign VLANs based on users’ MAC
addresses.
When a switch receives a packet, the switch compare the source MAC address of the packet with the MAC address specified
in a MAC VLAN entry. If they match, the switch forwards the packet to the VLAN specified in the MAC VLAN entry. If they
don’t match, the VLAN to which the data stream belongs is still determined by the VLAN assignment rule of the port.
To ensure that a PC is assigned to a specified VLAN no matter which switch it is connected to, you can perform configuration
by using the following approaches:
Static configuration by using commands. You can configure the association between a MAC address and a VLAN on a
local switch by using commands.
Automatic configuration by using an authentication server (802.1Xdynamic VLAN assignment). After a user passes
authentication, a switch dynamically creates an association between the MAC address and a VLAN based on the
information provided by the authentication server. When the user goes offline, the switch automatically deletes the
association. This approach requires that the MAC-VLAN association be configured on the authentication server. For
details about 802.1Xdynamic VLAN assignment, refer to the Configuring 802.1X.
MAC VLAN entries support both of the two approaches, that is, the entries can be configured on both a local switch and an
authentication server. The configurations can take effect only if they are consistent. If the configurations are different, the
configuration performed earlier takes effect.
MAC VLAN entries are effective only for untagged packets, but not effective for tagged packets.
For MAC VLAN entries statically configured or dynamically generated, the specified VLANs must exist.
VLANs specified in MAC VLAN entries cannot be Super VLANs (but can be Sub VLANs), Remote VLANs, or Primary
VLANs (but can be Secondary VLANs).
MAC VLANs are effective for all hybrid ports that are enabled with the MAC VLAN function.
5.4 Configuration
5-2
Configuration Guide Configuring MAC VLAN
Adding a Static MAC VLAN (Optional) It is used to bind MAC addresses with VLANs.
Entry Globally
mac-vlan mac-address Configures a static MAC VLAN entry.
Enable the MAC VLAN function on a port so that MAC VLAN entries can take effect on the port.
Notes
N/A
Configuration Steps
Mandatory.
By default, the MAC VLAN function is disabled on ports and all MAC VLAN entries are ineffective on the ports.
Verification
Run the show mac-vlan interface command to display information about the ports enabled with the MAC VLAN
function.
5-3
Configuration Guide Configuring MAC VLAN
Command Di
Ruijie# show mac-vlan interface
splay
MAC VLAN is enabled on following interface:
---------------------------------------
FastEthernet 0/1
Configuration Example
Configuration Enable the MAC VLAN function on the Fast Ethernet 0/10 port.
Steps
Verification Check the information about the port enabled with the MAC VLAN function.
---------------------------------------
FastEthernet 0/10
Common Errors
When the MAC VLAN function is enabled on a port, the port is not configured as a layer-2 port (such as switch port or AP port)
in advance.
Configure a static MAC VLAN entry to bind a MAC addresses with a VLAN. The 802.1p priority can be
configured, which is 0 by default.
Notes
N/A
Configuration Steps
Optional.
5-4
Configuration Guide Configuring MAC VLAN
To bind a MAC addresses with a VLAN, you should perform this configuration. The 802.1p priority can be
configured, which is 0 by default.
Command mac-vlan mac-address mac-address [mask mac-mask] vlan vlan-id [ priority pri_val ]
Parameter De mac-address mac-address: Indicates a MAC address.
scription mask mac-mask: Indicates a mask.
vlan vlan-id: Indicates the associated VLAN.
priority pri_val: Indicates the priority.
Defaults No static MAC VLAN entry is configured by default.
Command Global configuration mode
Mode
Usage Guide N/A
If an untagged packet is matched with a MAC VLAN entry, the packet is modified to the VLAN specified by the MAC
VLAN entry once arriving at the switch since the MAC VLAN entry has the highest priority. Subsequent functions and
protocols are implemented based on the modified VLAN. Possible influences are as follows:
If an 802.1Xuser fails to be authenticated, the hybrid port jumps to VLAN 100 specified by the FAIL VLAN function;
however, the MAC VLAN entry statically configured redirects all packets of this user to VLAN 200. Consequently, the
user cannot implement normal communication in FAIL VLAN 100.
After an untagged packet is matched with a MAC VLAN entry, the VLAN that triggers MAC address learning is the
VLAN redirected based on the MAC VLAN entry.
For a port that is enabled with the MAC VLAN function, if received packets are matched with both MAC VLAN
entries with full F masks and those without full F masks, the packets are processed based on the MAC VLAN
entries without full F masks.
If an untagged packet is matched with both a MAC VLAN entry and a VOICE VLAN entry, the packet priority is modified
simultaneously. The priority of the VOICE VLAN entry is used as that of the packet.
If an untagged packet is matched with both a MAC VLAN entry and a PROTOCOL VLAN entry, the VLAN carried in the
packet should be the MAC VLAN.
The MAC VLAN function is applied only to untagged packets, but not applied to PRIORITY packets (packets whose
VLAN tag is 0 and carrying COS PRIORITY information) and the processing actions are uncertain.
The QoS packet trust model on a switch is disabled by default, which will change PRIORITY of all packets to 0 and
overwrite the modification on packet priorities by the MAC VLAN function. Run the mls qos trust cos command in the
interface configuration mode to enable the QoS trust model and trust packet priorities.
Optional.
To delete all static MAC VLAN entries, you should perform this configuration.
5-5
Configuration Guide Configuring MAC VLAN
Optional.
To delete the MAC VLAN entry of a specified MAC address, you should perform this configuration.
Optional.
To delete the MAC VLAN entry of a specified VLAN, you should perform this configuration.
Verification
Run the show mac-vlan static command to check whether all static MAC VLAN entries are correct.
Run the show mac-vlan vlan vlan-id command to check whether the MAC VLAN entry of a specified VLAN is correct.
Run the show mac-vlan mac-address mac-address [ mask mac-mask ] command to display the MAC VLAN entry of a
specified MAC address.
5-6
Configuration Guide Configuring MAC VLAN
S: Static D: Dynamic
-------------------------------------------------------
0000.0000.0001 ffff.ffff.ffff 2 0 D
0000.0000.0002 ffff.ffff.ffff 3 3 S
0000.0000.0003 ffff.ffff.ffff 3 3 S&D
Total MAC VLAN address count: 3
Configuration Example
As shown in Figure 5-1, PC-A1 and PC-A2 belong to department A and are assigned to VLAN 100. PC-B1 and PC-B2 belong
to department B and are assigned to VLAN 200. Due to employee mobility, the company provides a temporary office at the
meeting room but requires that accessed employees be assigned to the VLANs of their own departments. For example,
PC-A1 must be assigned to VLAN 100 and PC-B1 must be assigned to VLAN 200 after access.
Since the access ports for PCs at the meeting room are not fixed, the MAC VLAN function can be used to associate the PC
MAC addresses with the VLANs of their departments. No matter which ports the employees use for access, the MAC VLAN
function automatically assigns the VLANs of their departments.
5-7
Configuration Guide Configuring MAC VLAN
Scenario
Figure 5-1
Configuration Configure the port connecting Switch C and Router 1 as a Trunk port.
Steps Configure all ports connecting PCs on Switch C as hybrid ports, enable the MAC VLAN function and
modify the default untagged VLAN list.
Configure MAC VLAN entries on Switch C.
A
A# configure terminal
A(config-if)# exit
A(config-if)# exit
5-8
Configuration Guide Configuring MAC VLAN
S: Static D: Dynamic
-------------------------------------------------------
PC-A1-macffff.ffff.ffff 100 0 S
PC-B1-macffff.ffff.ffff 200 3 S
Total MAC VLAN address count: 2
5.5 Monitoring
Displaying
Description Command
Displays all the MAC VLAN entries, show mac-vlan all
including static and dynamic.
Displays the dynamic MAC VLAN show mac-vlan dynamic
entries.
Displays the static MAC VLAN show mac-vlan static
entries.
Displays the MAC VLAN entries of a show mac-vlan vlan vlan-id
specified VLAN.
Displays the MAC VLAN entries of a show mac-vlan mac-address mac-address [mask mac-mask]
specified MAC address.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs the MAC VLAN function. debug bridge mvlan
5-9
Configuration Guide Configuring Protocol VLAN
6.1 Overview
The protocol VLAN technology is a VLAN distribution technology based on the packet protocol type. It can distribute packets
of a certain protocol type with a null VLAN ID to the same VLAN. That is, the switch, based on the protocol type and
encapsulation format of packets received by ports, matches the received untagged packets with protocol profiles. If the
matching is successful, the switch automatically distributes the packets to a relevant VLAN for transmission. There are two
types of protocol VLANs: IP address-based protocol VLAN and protocol VLAN based on the packet type and Ethernet type
on ports. The protocol VLAN based on the packet type and Ethernet type on ports is called protocol VLAN for short and the
IP address-based protocol VLAN is called subnet VLAN for short.
The protocol VLAN is applicable only to Trunk ports and Hybrid ports.
6.2 Applications
Application Description
Configuration and Application of Implements Layer-2 communication isolation of user hosts that use different protocol
Protocol VLAN packets for communication to reduce the network traffic.
Configuration and Application of Specifies the VLAN range based on the IP network segment to which user packets
Subnet VLAN belong.
As shown in the following figure, the network architecture is composed of the interconnected Windows NT server and Novell
Netware server and the office area is connected to the Layer-3 device Switch A through a hub. There are different PCs in the
office area. Some PCs use the Windows NT operating system (OS) and support the IP protocol, and some PCs use the
Novell Netware OS and support the IPX protocol. PCs in the office area communicate with the external network and servers
through the uplink port Gi 0/3.
The Layer-2 communication of PCs using the Windows NT OS is isolated from that of PCs using the Novell Netware OS,
so as to reduce the network traffic.
6-1
Configuration Guide Configuring Protocol VLAN
Figure 6-1
Remarks Switch A is a switch and Port Gi 0/3 is a Hybrid port. Port Gi 0/1 is an Access port and belongs to VLAN 2. Port Gi
0/2 is also an Access port and belongs to VLAN 3.
Deployment
Configure profiles of the packet type and Ethernet type (in this example, configure Profile 1 for IP protocol packets and
configure Profile 2 for IPX protocol packets).
Apply the profiles to the uplink port (Port Gi 0/3 in this example) and associate them with VLANs (in this example,
associate Profile 1 with VLAN 2 and associate Profile 2 with VLAN 3).
The configured protocol VLANs take effect only on the Trunk ports and Hybrid ports.
As shown in the following figure, PCs in Office A and Office B are connected to the Layer-3 device Switch A through hubs. In
Office A, the PCs belong to a fixed network segment and they are distributed to the same VLAN by port. In Office B, the PCs
belong to two network segments, but they cannot be distributed to VLANs by fixed port.
For PCs in Office B, Switch A can determine the VLAN range of the PCs based on the IP network segment to which their
packets belong.
6-2
Configuration Guide Configuring Protocol VLAN
Figure 6-2
Remarks Switch A is a switch. Port G0/1 is an Access port and belongs to VLAN 2. Port G0/2 is also an Access port and
belongs to VLAN 3. Port G0/3 is a Hybrid port.
Deployment
Globally configure subnet VLANs (in this example, allocate the IP network segment 192.168.1.1/24 to VLAN 3 and the
IP network segment 192.168.2.1/24 to VLAN 2) and enable the subnet VLAN function on the uplink port (Port Gi 0/3 in
this example).
The configured subnet VLANs take effect only on the Trunk ports and Hybrid ports.
6.3 Features
Basic Concepts
Protocol VLAN
The protocol VLAN technology is a VLAN distribution technology based on the packet protocol type. It can distribute packets
of a certain protocol type with a null VLAN ID to the same VLAN.
VLANs need to be specified for packets received by device ports so that a packet belongs to a unique VLAN. There are three
possible cases:
If a packet contains a null VLAN ID (untagged or priority packet) and the device supports only port-based VLAN
distribution, the VLAN ID in the tag added to the packet is the PVID of the input port.
6-3
Configuration Guide Configuring Protocol VLAN
If a packet contains a null VLAN ID (untagged or priority packet) and the device supports VLAN distribution based on
the packet protocol type, the VLAN ID in the tag added to the packet is selected from the VLAN IDs mapped to the
protocol suite configuration of the input port. If the protocol type of the packet does not match all protocol suite
configuration of the input port, a VLAN ID is allocated according to the port-based VLAN distribution.
If a packet is a tagged packet, the VLAN to which the packet belongs is determined by the VLAN ID in the tag.
Subnet VLANs can be configured only globally that is, only the protocol VLAN function can be enabled or disabled on ports.
The matching configuration is globally performed for the protocol VLAN, the matching configuration is selected on ports and
the VLAN IDs are specified for packets that are matched successfully.
If an input packet contains a null VLAN ID and the IP address of the input packet matches an IP address, the packet is
distributed to the subnet VLAN.
If an input packet contains a null VLAN ID and the packet type and Ethernet type of the input packet match the packet
type and Ethernet type of an input port, the packet is allocated to the protocol VLAN.
The priority of a subnet VLAN is higher than that of a protocol VLAN. That is, if a subnet VLAN and protocol VLAN are
configured at the same time and an input packet conforms to both the subnet VLAN and protocol VLAN, the subnet VLAN
prevails.
Overview
Feature Description
Automatic The service types supported on a network are bound with VLANs or packets from a specified IP
VLAN Distribution network segment are transmitted in a specified VLAN to facilitate management and maintenance.
Based on Packet
Type
Set rules on the hardware and enable the rules on ports. The rules take effect only after they are enabled on ports. The rules
include the packet type and IP address of packets. When a port receives untagged data packets that meet the rules, the port
automatically distributes them to the VLAN specified in the rules for transmission. When the rules are disabled on ports,
untagged data packets are distributed to the Native VLAN according to the port configuration.
Related Configuration
6.4 Configuration
6-4
Configuration Guide Configuring Protocol VLAN
(Mandatory) It is used to enable the VLAN distribution function based on the packet type and
Ethernet type of the protocol VLAN.
protocol-vlan profile num frame-type [ type ] Configures the profile of the packet type and
ether-type [ type ] Ethernet type.
Configuring the Protocol
Configures the profile of the Ethernet type
VLAN Function
protocol-vlan profile num ether-type [ type ] (some models do not support frame
identification).
Configuring the Subnet protocol-vlan ipv4 address mask address Configures an IP address, subnet mask, and
VLAN Function vlan vid VLAN distribution.
Bind service types supported in a network with VLANs to facilitate management and maintenance.
Notes
It is recommended that the protocol VLAN be configured after VLANs, and the Trunk, Hybrid, Access, and AP attributes
of ports are configured.
If protocol VLAN is configured on a Trunk port or Hybrid port, all VLANs relevant to the protocol VLAN need to be
contained in the permitted VLAN list of the Trunk port or Hybrid port.
Configuration Steps
Mandatory.
The protocol VLAN can be applied on an interface only in global configuration mode.
6-5
Configuration Guide Configuring Protocol VLAN
Mandatory. The protocol VLAN function takes effect only on ports that are in Trunk/Hybrid mode.
Verification
Configuration Example
6-6
Configuration Guide Configuring Protocol VLAN
Scenario
Figure 6-3
# configure terminal
A(config-if-GigabitEthernet 0/1)#switchport
A(config-if-GigabitEthernet 0/1)#exit
6-7
Configuration Guide Configuring Protocol VLAN
A(config-if-GigabitEthernet 0/2)#switchport
A(config-if-GigabitEthernet 0/2)#exit
A(config-if-GigabitEthernet 0/3)#switchport
Configure Profile 1 for IP protocol packets and Profile 2 for IPX protocol packets (in this example,
assume that packets are encapsulated using Ethernet II and the Ethernet types of IP protocol packets
and IPX protocol packets are 0X0800 and 0X8137 respectively).
4. Apply Profile 1 and Profile 2 to Port Gi 0/3 and allocate Profile 1to VLAN 2 and Profile 2 to
VLAN 3.
Verification Check whether the protocol VLAN configuration on the device is correct.
A
A(config)#show protocol-vlan profile
1 ETHERII 0x0800
Gi0/3 2
2 ETHERII 0x8137
6-8
Configuration Guide Configuring Protocol VLAN
Gi0/3 3
Common Errors
The permitted VLAN list of the port connected to the device does not contain the user communication VLANs.
Distribute packets from a specified network segment or IP address to a specified VLAN for transmission.
Notes
It is recommended that the protocol VLAN be configured after VLANs, and the Trunk, Hybrid, Access, and AP attributes
of ports are configured.
If protocol VLAN is configured on a Trunk port or Hybrid port, all VLANs relevant to the protocol VLAN need to be
contained in the permitted VLAN list of the Trunk port or Hybrid port.
Configuration Steps
Mandatory.
The subnet VLAN can be applied on an interface only in global configuration mode.
Mandatory. The subnet VLAN function takes effect only on ports that are in Trunk/Hybrid mode.
6-9
Configuration Guide Configuring Protocol VLAN
Parameter De N/A
scription
Defaults The subnet VLAN is disabled by default.
Command Interface configuration mode
Mode
Usage Guide An interface must work in Trunk/Hybrid mode.
Verification
Configuration Example
Scenario
Figure 6-4
A# configure terminal
6-10
Configuration Guide Configuring Protocol VLAN
A(config-if-GigabitEthernet 0/1)#switchport
A(config-if-GigabitEthernet 0/1)#exit
A(config-if-GigabitEthernet 0/2)#switchport
A(config-if-GigabitEthernet 0/2)#exit
A(config-if-GigabitEthernet 0/3)#switchport
4. Enable the subnet VLAN on interfaces. The subnet VLAN is disabled by default.
Verification Check whether the subnet VLAN configuration on the device is correct.
A
A# show protocol-vlan ipv4
ip mask vlan
192.168.1.0 255.255.255.0 3
192.168.2.0 255.255.255.0 2
6-11
Configuration Guide Configuring Protocol VLAN
-------------------- -----------
Gi0/3 enable
Common Errors
The permitted VLAN list of the port connected to the device does not contain the user communication VLANs.
6.5 Monitoring
Displaying
Description Command
Displays the protocol VLAN content. show protocol-vlan
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs the protocol VLAN. debug bridge protvlan
6-12
Configuration Guide Configuring Private VLAN
7.1 Overview
Private VLAN divides the Layer-2 broadcast domain of a VLAN into multiple subdomains. Each subdomain is composed of
one private VLAN pair: primary VLAN and secondary VLAN.
One private VLAN domain may consist of multiple private VLAN pairs and each private VLAN pair represents one subdomain.
In a private VLAN domain, all private VLAN pairs share the same primary VLAN. The secondary VLAN IDs of subdomains
are different.
If a service provider allocates one VLAN to each user, the number of users that can be supported by the service provider is
restricted because one device supports a maximum of 4,096 VLANs. On a Layer-3 device, one subnet address or a series of
addresses are allocated to each VLAN, which results in the waste of IP addresses. The private VLAN technology properly
solves the preceding two problems. Private VLAN is hereinafter called PVLAN for short.
7.2 Applications
Application Description
Cross-Device Layer-2 Application of Users of an enterprise can communicate with each other but the user communication
PVLAN between enterprises is isolated.
Layer-3 Application of PVLAN on a All enterprise users share the same gateway address and can communicate with the
Single Device external network.
As shown in the following figure, in the hosting service operation network, enterprise user hosts are connected to the network
through Switch A or Switch B. The main requirements are as follows:
Users of an enterprise can communicate with each other but the user communication between enterprises is isolated.
All enterprise users share the same gateway address and can communicate with the external network.
7-1
Configuration Guide Configuring Private VLAN
Figure 7-1
Remarks
Switch A and Switch B are access switches.
PVLAN runs across devices. The ports for connecting the devices need to be configured as Trunk ports, that is,
Port Gi 0/5 of Switch A and Port Gi 0/1 of Switch B are configured as Trunk ports.
Port Gi 0/1 for connecting Switch A to the gateway needs to be configured as a promiscuous port.
Port Gi 0/1 of the gateway can be configured as a Trunk port or Hybrid port and the Native VLAN is the primary
VLAN of PVLAN.
Deployment
Configure all enterprises to be in the same PVLAN (primary VLAN 99 in this example). All enterprise users share the
same Layer-3 interface through this VLAN to communicate with the external network.
If an enterprise has multiple user hosts, allocate the user hosts of different enterprises to different community VLANs.
That is, configure the ports connected to the enterprise user hosts as the host ports of a community VLAN, so as to
implement user communication inside an enterprise but isolate the user communication between enterprises.
If an enterprise has only one user host, configure the ports connected to the user hosts of such enterprises as the host
ports of an isolated VLAN so as to implement isolation of user communication between the enterprises.
7-2
Configuration Guide Configuring Private VLAN
Users of an enterprise can communicate with each other but the user communication between enterprises is isolated.
All enterprise users can access the server.
All enterprise users share the same gateway address and can communicate with the external network.
Figure 7-2
Remarks
Switch A is a gateway switch.
When user hosts are connected to a single device, Port Gi 0/7 for connecting to the server is configured as a
promiscuous port so that enterprise users can communicate with the server.
Layer-3 mapping needs to be performed on the primary VLAN and secondary VLANs so that the users can
communicate with the external network.
Deployment
Configure the port that is directly connected to the server as a promiscuous port. Then, all enterprise users can
communicate with the server through the promiscuous port.
Configure the gateway address of PVLAN on the Layer-3 device (Switch A in this example) (in this example, set the SVI
address of VLAN 2 to 192.168.1.1/24) and configure the mapping between the primary VLAN and secondary VLANs on
the Layer-3 interface. Then, all enterprise users can communicate with the external network through the gateway
address.
7.3 Features
Basic Concepts
7-3
Configuration Guide Configuring Private VLAN
PVLAN
PVLAN supports three types of VLANs: primary VLANs, isolated VLANs, and community VLANs.
A PVLAN domain has only one primary VLAN. Secondary VLANs implement Layer-2 isolation in the same PVLAN domain.
There are two types of secondary VLANs.
Isolated VLAN
Ports in the same isolated VLAN cannot mutually make Layer-2 communication. A PVLAN domain has only one isolated
VLAN.
Community VLAN
Ports in the same community VLAN can make Layer-2 communication with each other but cannot make Layer-2
communication with ports in other community VLANs. A PVLAN domain can have multiple community VLANs.
PVLAN pairs exist only after Layer-2 association is performed among the three types of VLANs of PVLAN. Then, a primary
VLAN has a specified secondary VLAN and a secondary VLAN has a specified primary VLAN. A primary VLAN and
secondary VLANs are in the one-to-many relationship.
In PVLAN, Layer-3 interfaces, that is, switched virtual interfaces (SVIs) can be created only in a primary VLAN. Users in a
secondary VLAN can make Layer-3 communication only after Layer-3 association is performed between the secondary
VLAN and the primary VLAN. Otherwise, the users can make only Layer-2 communication.
Isolated Port
A port in an isolated VLAN can communicate only with a promiscuous port. An isolated port can forward the received packets
to a Trunk port but a Trunk port cannot forward the packets with the VID of an isolated VLAN to an isolated port.
Community Port
Community ports are ports in a community VLAN. Community ports in the same community VLAN can communicate with
each other and can communicate with promiscuous ports. They cannot communicate with community ports in other
community VLANs or isolated ports in an isolated VLAN.
Promiscuous Port
Promiscuous ports are ports in a primary VLAN. They can communicate with any ports, including isolated ports and
community ports in secondary VLANs of the same PVLAN domain.
A promiscuous Trunk port is a member port that belongs to multiple common VLANs and multiple PVLANs at the same time.
It can communicate with any ports in the same VLAN.
7-4
Configuration Guide Configuring Private VLAN
In PVLAN, for tagged packets to be forwarded by a promiscuous Trunk port, if the VID of the packets is a secondary
VLAN ID, the VID is converted into the corresponding primary VLAN ID before packet forwarding.
An isolated Trunk port is a member port that belongs to multiple common VLANs and multiple PVLANs at the same time.
In an isolated VLAN, an isolated Trunk port can communicate only with a promiscuous port.
In a community VLAN, an isolated Trunk port can communicate with community ports in the same community VLAN
and promiscuous ports.
In a common VLAN, packet forwarding complies with 802.1Q.
An isolated Trunk port can forward the received packets of an isolated VLAN ID to a Trunk port but a Trunk port cannot
forward the packets with the VID of an isolated VLAN to an isolated port.
For tagged packets to be forwarded by an isolated Trunk port, if the VID of the packets is a primary VLAN ID, the VID is
converted into a secondary VLAN ID before packet forwarding.
In PVLAN, SVIs can be created only in a primary VLAN and SVIs cannot be created in secondary VLANs.
Ports in PVLAN can be used as mirroring source ports but cannot be used as mirroring destination ports.
Overview
Feature Description
Ports of different PVLAN types can be configured to implement interworking and isolation of VLAN
PVLAN Layer-2 intermediate user hosts.
Isolation and IP After Layer-2 mapping is performed between a primary VLAN and secondary VLANs, only Layer-2
Address Saving communication is supported. If Layer-3 communication is required, users in a secondary VLAN need
to use SVIs of the primary VLAN to make Layer-3 communication.
Working Principle
Configure PVLAN, configure Layer-2 association and Layer-3 association between a primary VLAN and SubVLANs of
PVLAN, and configure ports connected to user hosts, external network devices, and servers as different types of PVLAN
ports. In this way, subdomain division and communication of users in subdomains with the external network and servers can
be implemented.
7-5
Configuration Guide Configuring Private VLAN
VLAN Tag Changes After Packet Forwarding Between Ports of Different Types
Output Port Promiscuous Isolated Community Isolated Trunk Port Promiscuous Trunk Port
Port Port Port (in the Same Trunk Port (in the
VLAN) (in the Same Same
Input Port VLAN) VLAN)
Promiscuous Unchanged Unchanged Unchanged A secondary VLAN A primary VLAN A primary
Port ID is added. ID tag is added VLAN ID
and the VLAN tag tag is
keeps unchanged added.
in the
non-PVLAN.
Isolated Port Unchanged NA NA NA A primary VLAN An isolated
ID tag is added VLAN ID
and the VLAN tag tag is
keeps unchanged added.
7-6
Configuration Guide Configuring Private VLAN
Output Port Promiscuous Isolated Community Isolated Trunk Port Promiscuous Trunk Port
Port Port Port (in the Same Trunk Port (in the
VLAN) (in the Same Same
Input Port VLAN) VLAN)
in the
non-PVLAN.
Community Unchanged NA Unchanged A community VLAN A primary VLAN A
Port ID tag is added. ID tag is added community
and the VLAN tag VLAN ID
keeps unchanged tag is
in the added.
non-PVLAN.
Isolated The VLAN tag NA The VLAN The VLAN tag A primary VLAN Unchanged
Trunk Port is removed. tag is keeps unchanged in ID tag is added
(in the Same removed. a non-isolated and the VLAN tag
VLAN) VLAN. keeps unchanged
in the
non-PVLAN.
Promiscuous The VLAN tag Unchanged Unchanged A secondary VLAN A primary VLAN Unchanged
Trunk Port is removed. ID is added. ID tag is added
(in the Same and the VLAN tag
VLAN) keeps unchanged
in the
non-PVLAN.
Trunk Port The VLAN tag NA The VLAN The VLAN tag is A primary VLAN Unchanged
(in the Same is removed. tag is converted into a ID tag is added
VLAN) removed. secondary VLAN ID and the VLAN tag
in a primary VLAN keeps unchanged
and the VLAN tag in the
keeps unchanged in non-PVLAN.
other non-isolated
VLANs.
Switch CPU Untag Untag Untag A secondary VLAN A primary VLAN A primary
ID tag is added. ID tag is added VLAN ID
and the VLAN tag tag is
keeps unchanged added.
in the
non-PVLAN.
7-7
Configuration Guide Configuring Private VLAN
7.4 Configuration
Enable PVLAN subdomains to form to implement isolation between enterprises and between enterprise users.
Implement Layer-3 mapping between multiple secondary VLANs and the primary VLAN so that and multiple VLANs
uses the same IP gateway, thereby helping save IP addresses.
7-8
Configuration Guide Configuring Private VLAN
Notes
After a primary VLAN and a secondary VLAN are configured, a PVLAN subdomain exist only after Layer-2 association
is performed between them.
A port connected to a use host must be configured as a specific PVLAN port so that the user host joins a subdomain to
implement the real user isolation.
The port connected to the external network and the port connected to a server must be configured as promiscuous
ports so that upstream and downstream packets are forwarded normally.
Users in a secondary VLAN can make Layer-3 communication through the SVI of the primary VLAN only after Layer-3
mapping is performed between the secondary VLAN and the primary VLAN.
Configuration Steps
Configuring PVLAN
Mandatory.
A primary VLAN and a secondary VLAN must be configured. The two types of VLANs cannot exist independently.
Run the private-vlan { community | isolated | primary } command to configure a VLAN as the primary VLAN of
PVLAN and other VLANs as secondary VLANs.
primary: Specifies that the VLAN type is the primary VLAN of a PVLAN pair.
Defaults VLANs are common VLANs and do not have the attributes of PVLAN.
Command VLAN mode
Mode
Usage Guide This command is used to specify the primary VLAN and secondary VLANs of PVLAN.
Mandatory.
PVLAN subdomains form, and isolated ports, community ports, and Layer-3 association can be configured only after
Layer-2 association is performed between the primary VLAN and secondary VLANs of PVLAN.
By default, after various PVLANs are configured, the primary VLANs and secondary VLANs are independent of each
other. A primary VLAN has a secondary VLAN and a secondary VLAN has a primary VLAN only after Layer-2
association is performed.
Run the private-vlan association { svlist | add svlist | remove svlist } command to configure or cancel the Layer-2
association between the primary VLAN and secondary VLANs of PVLAN. A PVLAN subdomain forms only after Layer-2
association is configured,. The PVLAN subdomain does not exist after Layer-2 association is cancelled. If Layer-2
association is not performed, when isolated ports and promiscuous ports are used to configure associated PVLAN pairs,
the configuration will fail or the association between ports and VLANs will be cancelled.
7-9
Configuration Guide Configuring Private VLAN
remove svlist: Cancels the association between svlist and the primary VLAN.
Defaults By default, the primary VLAN and secondary VLANs are not associated.
Command Primary VLAN mode of PVLAN
Mode
Usage Guide
This command is used to configure Layer-2 association between a primary VLAN and secondary VLANs to
form PVLAN pairs.
Each primary VLAN can be associated with only one isolated VLAN but can be associated with multiple
community VLANs.
If users in a secondary VLAN domain need to make Layer-3 communication, configure a Layer-3 interface SVI for the
primary VLAN and then configure Layer-3 association between the primary VLAN and secondary VLANs on the SVI.
By default, SVIs can be configured only in a primary VLAN. Secondary VLANs do not support Layer-3 communication.
If users in a secondary VLAN of PVLAN need to make Layer-3 communication, the SVI of the primary VLAN needs to
be used to transmit and receive packets.
Run the private-vlan mapping { svlist | add svlist | remove svlist } command to configure or cancel the Layer-3
association between the primary VLAN and secondary VLANs of PVLAN. Users in a secondary VLAN can make
Layer-3 communication with the external network only after Layer-3 association is configured. After Layer-3 association
is cancelled, users in a secondary VLAN cannot make Layer-3 communication.
remove svlist: Cancels the secondary VLANs associated with a Layer-3 interface.
Defaults By default, the primary VLAN and secondary VLANs are not associated.
Command Interface configuration mode of the primary VLAN
Mode
Usage Guide
A Layer-3 SVI must be configured for the primary VLAN first.
Layer-2 association must be performed between associated secondary VLANs and the primary VLAN.
After the primary VLAN and secondary VLANs of PVLAN as well as Layer-2 association are configured, allocate the
device ports connected to user hosts so as to specify the subdomains to which the user hosts belong.
7-10
Configuration Guide Configuring Private VLAN
If an enterprise has only one user host, set the port connected to the user host as an isolated port.
If an enterprise has multiple user hosts, set the ports connected to the user hosts as community ports.
Command switchport mode private-vlan host
switchport private-vlan host-association p_vid s_vid
Parameter De
p_vid: Indicates the primary VLAN ID in a PVLAN pair.
scription
s_vid: Indicates the secondary VLAN ID in a PVLAN pair. The port is an associated port if the VLAN is an
isolated VLAN and the port is a community port if the VLAN is a community VLAN.
Defaults By default, the interface works in Access mode; no private VLAN pairs are associated.
Command Both commands run in interface configuration mode.
Mode
Usage Guide
Both the preceding commands need to be configured. Before a port is configured as an isolated port or
promiscuous port, and the port mode must be configured as the host port mode.
Whether a port is configured as an isolated port or community port depends on the s_vid parameter.
p_vid and s_vid must be respectively the IDs of the primary VLAN and secondary VLAN in a PVLAN pair,
on which Layer-2 association is performed.
One host port can be associated with only one PVLAN pair.
According to the table listing port packet transmission and receiving rules in section "Features", the single port type of
PVLAN cannot ensure symmetric forwarding of upstream and downstream packets. Ports for connecting to the external
network or server need to be configured as promiscuous ports to ensure that users can successfully access the
external network or server.
Command switchport mode private-vlan promiscuous
switchport private-vlan mapping p_vid{ svlist | add svlist | remove svlist }
Parameter De
p_vid: Indicates the primary VLAN ID in a PVLAN pair.
scription
svlist: Indicates the secondary VLAN associated with a promiscuous port. Layer-2 association must be
performed between it and p_vid.
If a port is configured as a promiscuous port, it must be associated with PVLN pairs. Otherwise, the port
cannot bear or forward services.
One promiscuous port can be associated with multiple PVLAN pairs within one primary VLAN but cannot be
7-11
Configuration Guide Configuring Private VLAN
Verification
Make user hosts connected to PVLAN ports transmit and receive packets as per PVLAN port forwarding rules to implement
isolation. Configure Layer-3 association to make users in the primary VLAN and secondary VLANs of the same PVLAN to
share the same gateway IP address and make Layer-3 communication.
Configuration Example
Figure 7-3
Configuration Configure all enterprises to be in the same PVLAN (primary VLAN 99 in this example). All enterprise
Steps users share the same Layer-3 interface through this VLAN to communicate with the external network.
If an enterprise has multiple user hosts, allocate each enterprise to a different community VLAN (in this
example, allocate Enterprise A to Community VLAN 100) to implement user communication inside an
enterprise and isolate user communication between enterprises.
If an enterprise has only one user host, allocate such enterprises to the same isolated VLAN (in this
example, allocate Enterprise B and Enterprise C to Isolated VLAN 101) to isolate user communication
between enterprises.
A
SwitchA#configure terminal
SwitchA(config)#vlan 99
7-12
Configuration Guide Configuring Private VLAN
SwitchA(config-vlan)#private-vlan primary
SwitchA(config-vlan)#exit
SwitchA(config)#vlan 100
SwitchA(config-vlan)#private-vlan community
SwitchA(config-vlan)#exit
SwitchA(config)#vlan 101
SwitchA(config-vlan)#private-vlan isolated
SwitchA(config-vlan)#exit
SwitchA(config)#vlan 99
SwitchA(config-vlan)#exit
SwitchA(config-if-range)#exit
SwitchA(config-if-GigabitEthernet 0/5)#exit
B
SwitchB#configure terminal
SwitchB(config)#vlan 99
SwitchB(config-vlan)#private-vlan primary
SwitchB(config-vlan)#exit
SwitchB(config)#vlan 100
SwitchB(config-vlan)#private-vlan community
SwitchB(config-vlan)#exit
SwitchB(config)#vlan 101
SwitchB(config-vlan)#private-vlan isolated
7-13
Configuration Guide Configuring Private VLAN
SwitchB(config-vlan)#exit
SwitchB(config)#vlan 99
SwitchB(config-vlan)#exit
SwitchB(config-if-GigabitEthernet 0/2)#exit
SwitchB(config-if-GigabitEthernet 0/3)#exit
SwitchB(config-if-GigabitEthernet 0/1)#exit
Verification Check whether VLANs and ports are correctly configured, and check whether packet forwarding is correct
according to packet forwarding rules in section "Features".
A
SwitchA#show running-config
vlan 99
private-vlan primary
vlan 100
private-vlan community
vlan 101
private-vlan isolated
7-14
Configuration Guide Configuring Private VLAN
------------------------------ ------------------
...
B
SwitchB#show running-config
vlan 99
private-vlan primary
7-15
Configuration Guide Configuring Private VLAN
vlan 100
private-vlan community
vlan 101
private-vlan isolated
Common Errors
Layer-2 association is not performed between the primary VLAN and secondary VLANs of PVLAN, and a port VLAN list
fails to be added when isolated ports, promiscuous ports, and community ports are configured.
One host port fails to be associated with multiple PVLAN pairs.
Configuration Example
7-16
Configuration Guide Configuring Private VLAN
Figure 7-4
Configuration Configure the PVLAN function on the device (Switch A in this example). For details about the
Steps configuration, see configuration tips in "Cross-Device Layer-2 Application of PVLAN."
Set the port that is directly connected to the server (Port Gi 0/7 in this example) as a promiscuous port.
Then, all enterprise users can communicate with the server through the promiscuous port.
Configure the gateway address of PVLAN on the Layer-3 device (Switch A in this example) (in this
example, set the SVI address of VLAN 2 to 192.168.1.1/24) and configure the Layer-3 interface
mapping between the primary VLAN (VLAN 2 in this example) and secondary VLANs (VLAN 10, VLAN
20, and VLAN 30 in this example). Then, all enterprise users can communicate with the external
network through the gateway address.
Run PVLAN cross devices and configure the ports for connecting to the devices as Trunk ports.
A
SwitchA#configure terminal
SwitchA(config)#vlan 2
SwitchA(config-vlan)#private-vlan primary
SwitchA(config-vlan)#exit
SwitchA(config)#vlan 10
SwitchA(config-vlan)#private-vlan community
SwitchA(config-vlan)#exit
SwitchA(config)#vlan 20
SwitchA(config-vlan)#private-vlan community
SwitchA(config-vlan)#exit
7-17
Configuration Guide Configuring Private VLAN
SwitchA(config)#vlan 30
SwitchA(config-vlan)#private-vlan isolated
SwitchA(config-vlan)#exit
SwitchA(config)#vlan 2
SwitchA(config-vlan)#exit
SwitchA(config-if-range)#exit
SwitchA(config-if-range)#exit
SwitchA(config-if-range)#exit
SwitchA(config-if-GigabitEthernet 0/7)#exit
SwitchA(config)#interface vlan 2
SwitchA(config-if-VLAN 2)#exit
Verification Ping the gateway address 192.168.1.1 from user hosts in different subdomains. The ping operation is
successful.
A
SwitchA#show running-config
7-18
Configuration Guide Configuring Private VLAN
vlan 2
private-vlan primary
vlan 10
private-vlan community
vlan 20
private-vlan community
vlan 30
private-vlan isolated
7-19
Configuration Guide Configuring Private VLAN
interface VLAN 2
no ip proxy-arp
------------------------------ ------------------
Common Errors
No Layer-2 association is performed on the primary VLAN and secondary VLANs of PVLAN and the Layer-3
association fails to be configured.
The device is connected to the external network before Layer-3 association is configured. As a result, the device cannot
communicate with the external network.
The interfaces for connecting to the server and the external network are not configured as promiscuous
interfaces, which results in asymmetric forwarding of upstream and downstream packets.
7-20
Configuration Guide Configuring Private VLAN
7.5 Monitoring
Displaying
Description Command
Displays PVLAN configuration. show vlan private-vlan
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs PVLAN. debug bridge pvlan
7-21
Configuration Guide Configuring Voice VLAN
8.1 Overview
IP phones are widely used thanks to rapid development of technologies. The voice virtual local area network (VLAN) is a
VLAN dedicated to voice data streams of users.
By creating a voice VLAN and add ports connected to voice devices to the voice VLAN, you can transmit voice data in a
centralized manner in the voice VLAN, and configure Quality of Service (QoS) for voice streams to improve the transmission
priority of voice streams and ensure the voice service quality.
8.2 Applications
Application Description
Configuring the Automatic Mode of IP phones and PCs form a daisy chain and are connected to the network. Deployed
the Voice VLAN IP phones can automatically obtain the IP addresses and voice VLAN information and
send tagged voice streams.
Configuring the Manual Mode of the IP phones are directly connected to the network.
Voice VLAN
Isolating Voice Streams from Data PCs are connected to IP phones, and IP phones are connected to a switch. IP phones
Streams automatically obtain the IP addresses and send untagged voice streams.
IP phones and PCs form a daisy chain and are connected to the network. Both voice and data streams are transmitted on
this link. Voice streams are transmitted in the voice VLAN, whereas data streams are transmitted in the data VLAN. This
ensures that voice and data streams do not interfere with each other. This networking is used when common office staff need
to use PCs for data communication, and IP phones for voice communication.
8-1
Configuration Guide Configuring Voice VLAN
Figure 8-1 Networking When the Voice VLAN Works in Automatic Mode
The Fa 0/1 port is connected to an IP phone that automatically obtains the IP address. After obtaining the IP address in the
voice VLAN, the IP phone can be used normally. The Fa 0/1 port is required to forward both voice and data streams and
isolate voice streams from data streams. The port can be configured as a trunk port. The native VLAN forwards data
streams, whereas the voice VLAN forwards voice streams.
A device supporting the voice VLAN can check whether a stream is a voice stream of a specified voice device based on the
source MAC address field in each data packet received by the port. If the source MAC address of a packet in the stream
matches the Organizationally Unique Identifier (OUI) configured on the device, the stream is treated as the voice stream and
transmitted in the voice VLAN.
The OUI is the first 24 bits of the MAC address. It is a globally unique identifier allocated by the Institute of Electrical and
Electronics Engineers (IEEE) to an equipment supplier. You can determine the supplier of a product based on the OUI.
Deployment
Enable the port connected to IP phones to work in automatic mode and send tagged voice streams to devices.
An IP phone is directly connected to the voice VLAN, and only voice streams exist on the link. This type of networking is
generally used when IP phones are deployed in conference rooms or when no PC is required to implement data services.
8-2
Configuration Guide Configuring Voice VLAN
Figure 8-2 Networking When the Voice VLAN Works in Manual Mode
The deployed IP phone automatically obtains the IP address, and sends untagged voice streams. As the Fa0/1 port is
connected to the IP phone that sends only untagged voice streams, and untagged voice streams do not support the
automatic mode, the port can only be set to work in manual mode. The Fa0/1 port is configured as a hybrid port. According to
the matching relationship requirement (see "Features"), the native VLAN of the Fa0/1 port must be a voice VLAN, and the
voice VLAN must be added to the allowed untagged VLAN list of the port.
Deployment
Enable the port connected to IP phones to work in manual mode and send untagged voice streams to devices.
To ensure the quality of calls, voice data must be transmitted in the dedicated voice VLAN, and this voice VLAN cannot
transmit non-voice data.
8-3
Configuration Guide Configuring Voice VLAN
Figure 8-3 Networking That Isolates Voice Streams from Data Streams
The Fa 0/1 port is required to forward both voice and data streams and isolate voice streams from data streams. As both IP
phones and PCs send untagged streams, the port must be configured as a hybrid port. The native VLAN forwards data
streams, whereas the voice VLAN forwards voice streams. The IP phone connected to the Fa0/1 port sends untagged voice
streams. Therefore, the voice VLAN mode must be set to the manual mode. The PC sends untagged data streams. To
isolate voice streams from data streams, the MAC VLAN function must be enabled on the Fa0/1 port. The native VLAN of the
Fa0/1 port is a data VLAN. In addition, to ensure that received data and voice streams are untagged, both the data VLAN and
voice VLAN must be added to the allowed untagged VLAN list of the port. The security mode of the port must be disabled to
ensure that data streams can be forwarded.
Deployment
PCs are connected to IP phones, and IP phones are connected to a switch. IP phones automatically obtain the IP
addresses and send untagged voice streams. The security mode is disabled on devices.
8.3 Features
Basic Concepts
Ports in the voice VLAN can work either in automatic or manual mode. The way that ports are added to the voice VLAN
varies according to the working mode.
Automatic mode:
When a packet sent by an IP phone arrives at a device supporting the voice VLAN, the device identifies the source MAC
address of the packet and compares this address with the OUI. If the source MAC address matches the OUI, the device
automatically adds the input port of the voice packet to the voice VLAN, issues a policy to change the priority of the voice
8-4
Configuration Guide Configuring Voice VLAN
packet to the priority of the voice stream in the voice VLAN configured on the device, and uses the aging mechanism to
maintain ports in the voice VLAN. If the system does not receive any voice packet from an input port before the aging timer
expires, the system deletes this port from the voice VLAN.
Manual mode:
In manual port, the administrator manually adds a port to or deletes a port from the voice VLAN. The device identifies the
source MAC address of the voice packet sent by the IP phone and compares this address with the OUI configured on the
device. If the source MAC address matches the OUI, the device issues a policy to change the priority of the voice packet to
the priority of the voice stream in the voice VLAN configured on the device.
The automatic mode is applicable to the scenario where the PC and IP phone are serially connected to the port and transmit
both voice and data streams.
The manual mode is applicable to the scenario where the IP phone is directly connected to a switch and the port transmits
only voice packets. In this networking mode, the port is dedicated to transmission of voice streams, which prevents data
streams from affecting transmission of voice streams.
Based on the way that IP phones obtain IP addresses and voice VLAN information, IP phones are classified into the following
types:
The IP phone automatically obtains the IP address and the voice VLAN ID. This type of IP phones can send both
tagged and untagged voice streams.
The IP address and the voice VLAN ID are manually configured for the IP phone.
Like any other network device, an IP phone needs an IP address before it can implement communication normally on the
network. An IP phone obtains an IP address in either of the following ways:
The IP address is automatically obtained through the Dynamic Host Configuration Protocol (DHCP).
When automatically obtaining an IP address, the IP phone can also request the voice VLAN information from the DHCP
server. If the DHCP server returns the voice VLAN information, the IP phone can directly send the voice stream containing
the voice VLAN tag. If the DHCP server does not return any voice VLAN information, the IP phone sends the voice
stream without the voice VLAN tag. If the IP phone support manual configuration of the IP address and voice VLAN ID, you
can manually configure the IP address and voice VLAN information on the IP hone. The IP phone sends the tagged or
untagged voice streams based on your configuration.
Voice VLAN Port and IP Phone That Sends Tagged Voice Streams
When sending the tagged voice stream, an IP hone must have obtain the voice VLAN information either automatically or
through manual configuration. In this case, different types of ports must be configured accordingly so that voice packets can
be transmitted normally in the voice VLAN without affecting forwarding of data streams by the switch. Unlike the IP phone
that automatically obtains the voice VLAN information, the IP phone that supports manual configuration of the voice VLAN
sends and receives only voice streams that contain the voice VLAN tag.
8-5
Configuration Guide Configuring Voice VLAN
Voice VLAN Port and IP Phone That Sends Untagged Voice Streams
An IP phone sends or receives untagged voice streams in either of the following cases:
1. The IP phone automatically obtains an IP address, but not the voice VLAN information.
2. The IP address is manually configured, but the voice VLAN information is not configured.
When the IP phone sends untagged voice streams, you must configure the default VLAN of the input port and add the default
VLAN to the allowed VLAN list of the port. In addition, you must configure the default VLAN of the port as a voice VLAN so
that the voice stream can be transmitted in the voice VLAN. In this case, the working mode of the voice VLAN of the port can
only be set to the manual mode.
The way and process that an IP phone obtains IP address and voice VLAN information vary according to models of IP
phones supplied by vendors. The working principle may differ from the preceding description. For details, see the user
manual of the IP phone.
The following table describes the relationship between the working mode of the voice VLAN, IP phone type, and port type.
Working Mode of the Voice Stream Type Port Type Supported Or Not
Voice VLAN
Automatic mode Tagged voice stream Access Port Not supported.
Private VLAN host port Not supported.
Private VLAN hybrid port Not supported.
Trunk port Supported. The native VLAN connected
to the port must exist and cannot be a
voice VLAN. In addition, the port allows
packets of the native VLAN to pass
through.
Hybrid port Supported. The native VLAN connected
to the port must exist and cannot be a
voice VLAN. In addition, the port allows
packets of the native VLAN to pass
through.
Uplink port Supported. The native VLAN connected
to the port must exist and cannot be a
voice VLAN. In addition, the port allows
packets of the native VLAN to pass
through.
Untagged voice Access port Not supported.
stream Private VLAN host port Not supported.
Private VLAN hybrid port Not supported.
Trunk port Not supported.
Hybrid port Not supported.
Uplink port Not supported.
8-6
Configuration Guide Configuring Voice VLAN
Working Mode of the Voice Stream Type Port Type Supported Or Not
Voice VLAN
Manual mode Tagged voice stream Access port Not supported.
Private VLAN host port Not supported.
Private VLAN hybrid port Not supported.
Trunk port Supported. The native VLAN connected
to the port must exist and cannot be a
voice VLAN. In addition, the port allows
packets of the native VLAN and the
voice VLAN to pass through.
Hybrid port Supported. The native VLAN connected
to the port must exist and cannot be a
voice VLAN. In addition, the port allows
packets of the native VLAN to pass
through, and the voice VLAN must be in
the allowed tagged VLAN list of the port.
Uplink port Supported. The native VLAN connected
to the port must exist and cannot be a
voice VLAN. In addition, the port allows
packets of the native VLAN and the
voice VLAN to pass through.
Untagged voice Access port Supported. The voice VLAN must one of
stream the VLANs to which the connected port
is added.
Private VLAN host port Supported. The voice VLAN must be
configured as the isolated VLAN or
community VLAN of the port.
Private VLAN hybrid port Supported. The voice VLAN must be
configured as the primary VLAN.
Trunk port Supported. The native VLAN connected
to the port must be a voice VLAN, and
the port allows packets of this VLAN to
pass through.
Hybrid port Supported. The native VLAN connected
to the port must be a voice VLAN. (If the
MAC VLAN function is enabled on the
port to isolate data streams from voice
streams, the native VLAN is not
necessary a voice VLAN.) In addition,
the VLAN must be in the allowed
untagged VLAN list of the port.
8-7
Configuration Guide Configuring Voice VLAN
Working Mode of the Voice Stream Type Port Type Supported Or Not
Voice VLAN
Uplink port Not supported.
If an IP phone sends tagged voice streams, and the 802.1x authentication and guest VLAN functions are enabled on
the port connected to the IP phone, you must allocate different VLAN IDs to the voice VLAN, default VLAN of the port,
and the guest VLAN of 802.1x to ensure that these functions take effect.
The protocol VLAN takes effect on untagged packets sent by a trunk port or hybrid port. In automatic mode of the voice
VLAN, a trunk port or hybrid port can process only tagged voice streams. Therefore, do not configure a VLAN both as a
protocol VLAN and a voice VLAN.
If the automatic mode is used, do not set the OUI as a static address; otherwise, the automatic mode is negatively
affected.
To better isolate voice streams from data streams during transmission, the voice VLAN provides the security mode. When
the security mode is enabled, the voice VLAN allows transmission of only voice streams. In this case, the device checks the
source MAC address of each packet. When the source MAC address of a packet is a voice VLAN OUI that can be identified,
the packet can be transmitted in the voice VLAN; otherwise, the packet is dropped. When the security mode is disabled, the
device does not check the source MAC address of each packet, and all packets can be transmitted in the voice VLAN.
In security mode, the device checks the source MAC address of only an untagged packet or a packet containing the
voice VLAN tag. For other packets that do not contain the voice VLAN tag, the device forwards or drops these packets
according to the VLAN rules.
You are advised not to transmit voice and data streams concurrently in a voice VLAN. If concurrent transmission of
voice and data streams is necessary, confirm that the security mode of the voice VLAN has been disabled.
Overview
Feature Description
Voice VLAN Transmit data streams and voice streams respectively in the data VLAN and the voice VLAN to
prevent mutual interference between voice calls and data services.
A device supporting the voice VLAN transmits data streams and voice streams respectively in the data VLAN and the voice
VLAN to prevent mutual interference between voice calls and data services. In addition, the device issues a priority policy to
improve the priority of voice streams and ensure the quality of calls. The working principle of the voice VLAN is as follows:
Step 1: The user creates a voice VLAN dedicated to transmission of voice packets on the device, and enable the voice VLAN
function on the port that is connected to the IP phone.
8-8
Configuration Guide Configuring Voice VLAN
Step 2: Add the port connected to the IP phone to the voice VLAN. This step is crucial. The way of adding a port to the voice
VLAN varies according to the working mode (automatic or manual) of the voice VLAN:
In automatic mode, when receiving an untagged packet from the port, the device compares the source MAC address of
this packet with the valid OUI. If the source MAC address matches the OUI, the packet is a voice packet. Then, the
device automatically adds the port to the voice VLAN, and meanwhile learns the MAC address from this port.
In manual mode, the user manually adds the port connected to the IP phone to the voice VLAN.
Step 3: Regardless of the working mode (automatic or manual), when a port is added to the voice VLAN, the device issues a
policy to improve the priority of every packet with the source MAC address matching the OUI in the voice VLAN. For every
voice packet with the source MAC address matching the OUI, the CoS is set to 6, and DSCP is set to 46.
After the preceding steps are complete, the port connected to the IP phone is added to the dedicated voice VLAN. Voice
packets are transmitted in a centralized manner in the voice VLAN, and is forwarded to other devices with a high priority.
If the IP phone supports the Link Layer Discovery Protocol (LLDP), you do not need to configure the OUI. The device can
capture the LLDP packet sent by the IP phone, and identifies the device capability field of the LLDP packet. If the device
capability field is "telephone", the device extracts the source MAC address from the LLDP packet as the MAC address of the
voice device. In this way, the voice device can be automatically identified.
Related Configuration
Run the voice vlan vlan-id command to enable the voice VLAN function and configure a VLAN as the voice VLAN.
Run the voice vlan enable command to enable the voice VLAN function of a port.
By default, the voice VLAN working mode of a port is set to the automatic mode.
Run the voice vlan mode auto command to set the voice VLAN working mode of a port to the automatic mode.
Run the no voice vlan mode auto command to set the voice VLAN working mode of a port to the manual mode.
The voice VLAN working modes of ports are independent of each other. You can configure different voice VLAN working
modes for different ports.
8-9
Configuration Guide Configuring Voice VLAN
By default, the aging time is 1,440 minutes. The aging time takes effect on ports only in automatic mode. If the port does not
receive any voice packet within the aging time, the port is automatically deleted from the voice VLAN. A longer aging time
indicates that a port can reside in the voice VLAN for a longer time before it receives any voice packet.
Run the voice vlan aging command to configure the aging time of a port.
Run the voice vlan mac-address command to configure the OUI of the voice VLAN that can be identified by devices.
Run the voice vlan security enable command to enable the security mode of the voice VLAN.
When the security mode is enabled, only voice streams can be transmitted in the voice VLAN.
By default, the CoS of voice streams is 6 and DSCP is 46. A higher priority of voice streams indicates a higher priority for
transmitting voice packets, which improves the quality of calls.
Run the voice vlan security cos command to set the CoS of voice streams in the voice VLAN.
Run the voice vlan security dscp command to set the DSCP of voice streams in the voice VLAN.
8.4 Configuration
8-10
Configuration Guide Configuring Voice VLAN
Notes
VLAN 1 is the default VLAN and does not need to be created, but VLAN 1 cannot be configured as the voice VLAN.
A VLAN cannot be configured both as the voice VLAN and super VLAN.
If 802.1x authentication with VLAN assignment is enabled on the port, do not configure the issued VLAN ID as the voice
VLAN ID; otherwise, the function of 802.1x authentication with VLAN assignment is negatively affected.
Do not configure the same VLAN as the remote VLAN and voice VLAN of the remote switched port analyzer (RSPAN);
otherwise the RSPAN and voice VLAN functions may be negatively affected.
Configuration Steps
Mandatory.
Create a VLAN, and configure this VLAN as the voice VLAN for transmission of voice streams.
Perform this configuration on a switch.
Command voice vlan vlan-id
Parameter De vlan-id: Indicates the ID of a VLAN. The value ranges from 2 to 4,094.
scription
Defaults By default, the voice VLAN function is disabled.
Command Global configuration mode
8-11
Configuration Guide Configuring Voice VLAN
Mode
Usage Guide Run the no voice vlan command in global configuration mode to disable the voice VLAN function.
Assume that both the 802.1x and voice VLAN functions are enabled on a port. If the device MAC address of an IP
phone matches the OUI of the voice VLAN configured on the Ruijie device, the IP phone can use the voice VLAN for
communication without being authenticated. For example, if a PC and an IP phone are connected to the same port, and
the 802.1x function is enabled, the PC must pass the 802.1x authentication before using the network for communication,
but the IP phone does not need to be authenticated.
Verification
Run the show voice vlan command to check whether the configuration takes effect.
Command show voice vlan
Parameter N/A
Description
Command All configuration modes
Mode
Usage Guide N/A
Voice VLAN ID : 10
PORT MODE
-------------------- ----------
Configuration Example
Create VLAN 2.
Configuration
Globally enable the voice VLAN function, and configure VLAN 2 as a voice VLAN.
Steps
Ruijie(config)# vlan 2
8-12
Configuration Guide Configuring Voice VLAN
Ruijie(config-vlan)# exit
Run the show voice vlan command to check whether the configuration is correct.
Verification
Voice VLAN ID : 2
PORT MODE
-------------------- ----------
Enable the voice VLAN function of a port connected to an IP phone. This step is mandatory to enable a port to transmit voice
streams.
Notes
The voice VLAN function can be enabled only on a Layer-2 (L2) port, such as the access port, trunk port, hybrid port,
uplink port, and private VLAN port. It cannot be enabled on an AP port or a routed port.
After the voice VLAN function is enabled on a port, to ensure normal operation of the function, do not switch the L2
mode (such as the access port, trunk port, and hybrid port) of the port. If L2 mode switching of a port is necessary,
disable the voice VLAN port on this port first.
Configuration Steps
8-13
Configuration Guide Configuring Voice VLAN
scription
Defaults By default, the voice VLAN function is disabled on a port.
Command Interface configuration mode
Mode
Usage Guide Run the no voice vlan enable command to disable the voice VLAN function on a port.
When the voice VLAN function is globally disabled, you can enable the voice VLAN function on a port, but this
configuration does not take effect.
Verification
Run the show voice vlan command to check whether the configuration takes effect.
Command show voice vlan
Parameter N/A
Description
Command All configuration modes
Mode
Usage Guide N/A
Voice VLAN ID : 10
PORT MODE
-------------------- ----------
Gi0/1 MANUAL
Configuration Example
Enter the port configuration mode, and enable the voice VLAN function on a physical port.
Configuration
Steps
8-14
Configuration Guide Configuring Voice VLAN
Verification Run the show voice vlan command to check whether the configuration is correct.
Voice VLAN ID : 10
PORT MODE
-------------------- ----------
Gi0/1 MANUAL
Configure the aging time of the voice VLAN on a device. If the device does not receive any voice packet from the input
port within the aging time, the port is automatically deleted from the voice VLAN. The aging time takes effect only in
automatic mode.
Configuration Steps
Optional.
Perform this configuration if you need to change the time that a port resides in the voice VLAN before the port receives
any voice stream.
8-15
Configuration Guide Configuring Voice VLAN
Mode
Usage Guide Run the no voice vlan aging command in global configuration mode to restore the default aging time.
Verification
Run the show voice vlan command to check whether the configuration takes effect.
Voice VLAN ID : 10
PORT MODE
-------------------- ----------
Configuration Example
Verification Run the show voice vlan command to check whether the configuration is correct.
8-16
Configuration Guide Configuring Voice VLAN
Voice VLAN ID : 10
PORT MODE
-------------------- ----------
Ruijie products support configuration of the OUI of a voice VLAN that can be identified. For details about the OUI, see
"Overview". A device supporting the voice VLAN function can compare the source MAC address contained in a
received packet with the OUI of the voice VLAN configured on the device to check whether the stream is a voice stream
sent from a specified voice device.
Notes
The OUI of the voice VLAN cannot be a multicast address, and the configured mask must be continuous.
Configuration Steps
Optional.
After an IP phone is connected to the device that supports the voice VLAN, you need to configure the OUI of the IP
phone so that the IP phone can implement communication on the network.
8-17
Configuration Guide Configuring Voice VLAN
Configuration Example
Configuration Set the OUI of the voice VLAN to 0012.3400.0000, and the supplier is Company A.
Steps
Verification Run the show voice vlan oui command to check whether the configuration is correct.
To better isolate voice streams from data streams during transmission, Ruijie products support the security mode of the
voice VLAN. When the security mode is enabled, only voice streams can be transmitted in the voice VLAN, which better
ensures the quality of voice stream transmission.
Configuration Steps
Optional.
The security mode of the voice VLAN is configured to isolate voice streams from data streams. Perform this
configuration if only voice streams can be transmitted in the voice VLAN.
8-18
Configuration Guide Configuring Voice VLAN
Voice VLAN ID : 10
PORT MODE
-------------------- ----------
Configuration Example
Configuration Enter the global configuration mode, and enable the security mode of the voice VLAN.
Steps
8-19
Configuration Guide Configuring Voice VLAN
Verification Run the show voice vlan command to check whether the configuration is correct.
Voice VLAN ID : 10
PORT MODE
-------------------- ----------
Modify the CoS and DSCP values of voice streams in the voice VLAN to improve the priority of voice streams and
ensure the quality of calls. For details about the CoS and DSCP, see "Configuring the QoS".
Configuration Steps
Optional.
Perform this configuration if you need to improve the priority of voice streams.
8-20
Configuration Guide Configuring Voice VLAN
Voice VLAN ID : 10
PORT MODE
-------------------- ----------
Configuration Example
Configuration Set the CoS of voice streams in the voice VLAN to 5 and the DSCP to 40.
Steps
Verification Run the show voice vlan command to check whether the configuration is correct.
Voice VLAN ID : 10
8-21
Configuration Guide Configuring Voice VLAN
PORT MODE
-------------------- ----------
The voice VLAN may work in either automatic or manual mode. The working mode of the voice VLAN is configured in
port configuration mode. For details about the automatic and manual modes, see "Automatic and Manual Modes of the
Voice VLAN".
Notes
If the voice VLAN function is enabled on a port and the voice VLAN works in manual mode, you must manually add the
port to the voice VLAN to ensure that the voice VLAN function can take effect.
When the voice VLAN function is enabled on a port and the voice VLAN works in automatic mode, do not configure the
native VLAN of the port as the voice VLAN; otherwise, the voice VLAN function may be negatively affected.
By default, the trunk or hybrid port of a Ruijie product can transmit packets of all VLANs. You need to delete the voice
VLAN from the allowed VLAN list of a port and then enable the voice VLAN function. In this way, ports that are not
connected to any voice device will not be added to the voice VLAN, and ports that are not in use for a long time always
reside in the voice VLAN.
Configuration Steps
Setting the Voice VLAN Working Mode of a Port to the Automatic Mode
Optional.
Perform this configuration if you want a port to be automatically added to the voice VLAN when the port receive voice
streams and automatically deleted from the voice VLAN when the aging time expires.
After the voice VLAN function is enabled on a port, the working mode of the voice VLAN cannot be changed. To change
the working mode of the voice VLAN, you must first disable the voice VLAN function on the port.
8-22
Configuration Guide Configuring Voice VLAN
In automatic mode, you cannot use the manual configuration command (switchport trunk allow vlan add) to add a
port to or delete a port from the voice VLAN.
Verification
Run the show voice vlan command to check whether the configuration takes effect.
Voice VLAN ID : 10
PORT MODE
-------------------- ----------
Gi0/1 AUTO
Configuration Example
8-23
Configuration Guide Configuring Voice VLAN
Scenario
Figure 8-4
Ruijie(config)# vlan 2
Ruijie(config-vlan)# exit
Step 2: Configure data on the device so that the device allows voice packets with the OUI set to
0012.3400.0000 and mask set to ffff.ff00.0000 to be forwarded through the voice VLAN.
8-24
Configuration Guide Configuring Voice VLAN
Step 3: Configure Fa0/1 as the trunk port, and VLAN 5 as the native VLAN of the port.
Step 4: Delete the voice VLAN from the allowed VLAN list of the Fa0/1 port, and enable the voice VLAN
function of the Fa0/1 port.
Verification Run the show voice vlan command to check the current status of the voice VLAN on the device.
Voice Vlan ID : 2
PORT MODE
-------------------- ----------
Fa0/1 AUTO
0012.3400.0000 ffff.ff00.0000
8.5 Monitoring
Displaying
8-25
Configuration Guide Configuring Voice VLAN
Description Command
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs the voice VLAN. debug bridge vvlan
8-26
Configuration Guide Configuring MSTP
9 Configuring MSTP
9.1 Overview
Spanning Tree Protocol (STP) is a Layer-2 management protocol. It cannot only selectively block redundant links to eliminate
Layer-2 loops but also can back up links.
Similar to many protocols, STP is continuously updated from Rapid Spanning Tree Protocol (RSTP) to Multiple Spanning
Tree Protocol (MSTP) as the network develops.
For the Layer-2 Ethernet, only one active link can exist between two local area networks (LANs). Otherwise, a broadcast
storm will occur. To enhance the reliability of a LAN, it is necessary to establish a redundant link and keep some paths in
backup state. If the network is faulty and a link fails, you must switch the redundant link to the active state. STP can
automatically activate the redundant link without any manual operations. STP enables devices on a LAN to:
Troubleshoot a fault and automatically update the network topology so that the possible best tree topology is always
selected.
The LAN topology is automatically calculated based on a set of bridge parameters configured by the administrator. The best
topology tree can be obtained by properly configuring these parameters.
RSTP is completely compatible with 802.1D STP. Similar to traditional STP, RSTP provides loop-free and redundancy
services. It is characterized by rapid speed. If all bridges in a LAN support RSTP and are properly configured by the
administrator, it takes less than 1 second (about 50 seconds if traditional STP is used) to re-generate a topology tree after the
network topology changes.
STP migration is slow. Even on point-to-point links or edge ports, it still takes two times of the forward delay for ports to
switch to the forwarding state.
RSTP can rapidly converge but has the same defect with STP: Since all VLANs in a LAN share the same spanning
tree, packets of all VLANs are forwarded along this spanning tree. Therefore, redundant links cannot be blocked
according to specific VLANs and data traffic cannot be balanced among VLANs.
MSTP, defined by the IEEE in 802.1s, resolves defects of STP and RSTP. It cannot only rapidly converge but also can
enable traffic of different VLANs to be forwarded along respective paths, thereby providing a better load balancing
mechanism for redundant links.
In general, STP/RSTP works based on ports while MSTP works based on instances. An instance is a set of multiple VLANs.
Binding multiple VLANs to one instance can reduce the communication overhead and resource utilization.
Ruijie devices support STP, RSTP, and MSTP, and comply with IEEE 802.1D, IEEE 802.1w, and IEEE 802.1s.
9-1
Configuration Guide Configuring MSTP
IEEE 802.1w: Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid Reconfiguration
IEEE 802.1s: Virtual Bridged Local Area Networks—Amendment 3: Multiple Spanning Trees
9.2 Applications
Application Description
MSTP+VRRP Dual-Core Topology With a hierarchical network architecture model, the MSTP+VRRP mode is used to
implement redundancy and load balancing to improve system availability of the
network.
BPDU Tunnel In QinQ network environment, Bridge Protocol Data Unit (BPDU) Tunnel is used to
implement tunnel-based transparent transmission of STP packets.
The typical application of MSTP is the MSTP+VRRP dual-core solution. This solution is an excellent solution to improve
system availability of the network. Using a hierarchical network architecture model, it is generally divided into three layers
(core layer, convergence layer, and access layer) or two layers (core layer and access layer). They form the core network
system to provide data exchange service.
The main advantage of this architecture is its hierarchical structure. In the hierarchical network architecture, all capacity
indicators, characteristics, and functions of network devices at each layer are optimized based on their network locations and
roles, enhancing their stability and availability.
Remarks The topology is divided into two layers: core layer (Devices A and B) and access layer (Devices C and D).
9-2
Configuration Guide Configuring MSTP
Deployment
Core layer: Multiple MSTP instances are configured to realize load balancing. For example, two instances are created:
Instance 1 and Instance 2. Instance 1 maps VLAN 10 while Instance 2 maps VLAN 20. Device A is the root bridge of
Instances 0 and 1 (Instance 0 is CIST, which exists by default). Device B is the root bridge of Instance 2.
Core layer: Devices A and B are the active VRRP devices respectively on VLAN 10 and VLAN 20.
Access layer: Configure the port directly connected to the terminal (PC or server) as a PortFast port, and enable BPDU
guard to prevent unauthorized users from accessing illegal devices.
The QinQ network is generally divided into two parts:customer network and service provider (SP) network. You can enable
BPDU Tunnel to calculate STP packets of the customer network independently of the SP network, thereby preventing STP
packets between the customer network from affecting the SP network.
Remarks As shown in the above figure, the upper part is the SP network and the lower part is the customer network. The
SP network consists of two provider edges (PEs): Provider S1 and Provider S2. Customer Network A1 and
Customer Network A2 are a user's two sites in different regions. Customer S1 and Customer S2, access devices
from the customer network to the SP network, access the SP network respectively through Provider S1 and
Provider S2.
Using BPDU Tunnel, Customer Network A1 and Customer Network A2 in different regions can perform unified
spanning tree calculation across the SP network, not affecting the spanning tree calculation of the SP network.
Deployment
9-3
Configuration Guide Configuring MSTP
Enable basic QinQ on the PEs (Provider S1/Provider S2 in this example) so that data packets of the customer network
are transmitted within the specified VLAN on the SP network.
Enable STP transparent transmission on the PEs (Provider S1/Provider S2 in this example) so that the SP network can
transmit STP packets of the customer network through BPDU Tunnel.
9.3 Features
Basic Concepts
BPDU
To generate a stable tree topology network, the following conditions must be met:
Each bridge has a unique ID consisting of the bridge priority and MAC address.
The overhead of the path from the bridge to the root bridge is called root path cost.
Bridges exchange BPDU packets to obtain information required for establishing the best tree topology. These packets use
the multicast address 01-80-C2-00-00-00 (hexadecimal) as the destination address.
Forward-Delay Time, Hello Time, Max-Age Time are time parameters specified in the MSTP.
Other flags, such as flags indicating network topology changes and local port status.
If a bridge receives a BPDU with a higher priority (smaller bridge ID and lower root path cost) at a port, it saves the BPDU
information at this port and transmits the information to all other ports. If the bridge receives a BPDU with a lower priority, it
discards the information.
Such a mechanism allows information with higher priorities to be transmitted across the entire network. BPDU exchange
results are as follows:
Except the root bridge, each bridge has a root port, that is, a port providing the shortest path to the root bridge.
Each LAN has a designated bridge located in the shortest path between the LAN and the root bridge. A port designated
to connect the bridge and the LAN is called designated port.
The root port and designated port enter the forwarding status.
9-4
Configuration Guide Configuring MSTP
Bridge ID
According to IEEE 802.1W, each bridge has a unique ID. The spanning tree algorithm selects the root bridge based on the
bridge ID. The bridge ID consists of eight bytes, of which the last six bytes are the MAC address of the bridge. In its first two
bytes (as listed in the following table), the first four bits indicate the priority; the last eight bits indicate the system ID for use in
extended protocol. In RSTP, the system ID is 0. Therefore, the bridge priority should be a integral multiple of 4,096.
Bit Value
16 32,768
15 16,384
Priority value
14 8,192
13 4,096
12 2,048
11 1,024
10 512
9 256
8 128
7 64
System ID
6 32
5 16
4 8
3 4
2 2
1 1
Spanning-Tree Timers
The following three timers affect the performance of the entire spanning tree:
Forward-Delay timer: Interval for changing the port status, that is, interval for a port to change from the listening state to
the learning state or from the learning state to the forwarding state when RSTP runs in STP-compatible mode.
Max-Age timer: The longest time-to-live (TTL) of a BPDU packet. When this timer elapses, the packet is discarded.
Each port plays a role on a network to reflect different functions in the network topology.
Root port: Port providing the shortest path to the root bridge.
Designated port: Port used by each LAN to connect the root bridge.
Alternate port: Alternative port of the root port. Once the root port loses effect, the alternate port immediately changes to
the root port.
Backup port: Backup port of the designated port. When a bridge has two ports connected to a LAN, the port with the
higher priority is the designated port while the port with the lower priority is the backup port.
9-5
Configuration Guide Configuring MSTP
Disabled port: Inactive port. All ports with the operation state being down play this role.
Figure 9-3
Figure 9-4
Figure 9-5
Each port has three states indicating whether to forward data packets so as to control the entire spanning tree topology.
Discarding: Neither forwards received packets nor learns the source MAC address.
Learning: Does not forward received packets but learns the source MAC address, which is a transitive state.
Forwarding: Forwards received packets and learns the source MAC address.
For a stable network topology, only the root port and designated port can enter the forwarding state while other ports are
always in discarding state.
Hop Count
9-6
Configuration Guide Configuring MSTP
Internal spanning trees (ISTs) and multiple spanning tree instances (MSTIs) calculate whether the BPDU packet time expires
based on an IP TTL-alike mechanism Hop Count, instead of Message Age and Max Age.
It is recommended to run the spanning-tree max-hops command in global configuration mode to configure the hop count. In
a region, every time a BPDU packet passes through a device from the root bridge, the hop count decreases by 1. When the
hop count becomes 0, the BPDU packet time expires and the device discards the packet.
To be compatible with STP and RSTP outside the region, MSTP also retains the Message Age and Max Age mechanisms.
Overview
Feature Description
STP STP, defined by the IEEE in 802.1D, is used to eliminate physical loops at the data link layer in a
LAN.
RSTP RSTP, defined by the IEEE in 802.1w, is optimized based on STP to rapidly converge the network
topology.
MSTP MSTP, defined by the IEEE in 802.1s, resolves defects of STP, RSTP, and Per-VLAN Spanning Tree
(PVST). It cannot only rapidly converge but also can forward traffic of different VLANs along
respective paths, thereby providing a better load balancing mechanism for redundant links.
MSTP Optical MSTP includes the following features: PortFast, BPDU guard, BPDU filter, TC protection, TC guard,
Features TC filter, BPDU check based on the source MAC address, BPDU filter based on the illegal length,
Auto Edge, root guard, and loop guard.
9.3.1 STP
STP is used to prevent broadcast storms incurred by loops and provide link redundancy.
Working Principle
For the Layer-2 Ethernet, only one active link can exist between two LANs. Otherwise, a broadcast storm will occur. To
enhance the reliability of a LAN, it is necessary to establish a redundant link and keep some paths in backup state. If the
network is faulty and a link fails, you must switch the redundant link to the active state. STP can automatically activate the
redundant link without any manual operations. STP enables devices on a LAN to:
Troubleshoot a fault and automatically update the network topology so that the possible best tree topology is always
selected.
The LAN topology is automatically calculated based on a set of bridge parameters configured by the administrator. The best
topology tree can be obtained by properly configuring these parameters.
9.3.2 RSTP
RSTP is completely compatible with 802.1D STP. Similar to traditional STP, RSTP provides loop-free and redundancy
services. It is characterized by rapid speed. If all bridges in a LAN support RSTP and are properly configured by the
9-7
Configuration Guide Configuring MSTP
administrator, it takes less than 1 second (about 50 seconds if traditional STP is used) to re-generate a topology tree after the
network topology changes.
Working Principle
RSTP has a special feature, that is, to make ports quickly enter the forwarding state.
STP enables a port to enter the forwarding state 30 seconds (two times of the Forward-Delay Time; the Forward-Delay Time
can be configured, with a default value of 15 seconds) after selecting a port role. Every time the topology changes, the root
port and designated port reselected by each bridge enter the forwarding state 30 seconds later. Therefore, it takes about 50
seconds for the entire network topology to become a tree.
RSTP differs greatly from STP in the forwarding process. As shown in Figure 9-6, Switch A sends an RSTP Proposal packet
to Switch B. If Switch B finds the priority of Switch A higher, it selects Switch A as the root bridge and the port receiving the
packet as the root port, enters the forwarding state, and then sends an Agree packet from the root port to Switch A. If the
designated port of Switch A is agreed, the port enters the forwarding state. Switch B's designated port resends a Proposal
packet to extend the spanning tree by sequence. Theoretically, RSTP can recover the network tree topology to rapidly
converge once the network topology changes.
Figure 9-6
The above handshake process is implemented only when the connection between ports is in point-to-point mode. To
give the devices their full play, it is recommended not to enable point-to-point connection between devices.
Figure 9-7 and Figure 9-8 show the examples of non point-to-point connection.
9-8
Configuration Guide Configuring MSTP
Figure 9-7
Figure 9-8
Figure 9-9
RSTP is completely compatible with STP. RSTP automatically checks whether the connected bridge supports STP or RSTP
based on the received BPDU version number. If the port connects to an STP bridge, the port enters the forwarding state 30
seconds later, which cannot give RSTP its full play.
9-9
Configuration Guide Configuring MSTP
Another problem may occur when RSTP and STP are used together. As shown in the following figures, Switch A (RSTP)
connects to Switch B (STP). If Switch A finds itself connected to an STP bridge, it sends an STP BPDU packet. However, if
Switch B is replaced with Switch C (RSTP) but Switch A still sends STP BPDU packets, Switch C will assume itself
connected to the STP bridge. As a result, two RSTP devices work under STP, greatly reducing the efficiency.
RSTP provides the protocol migration feature to forcibly send RSTP BPDU packets (the peer bridge must support RSTP). In
this case, Switch A is enforced to send an RSTP BPDU and Switch C then finds itself connected to the RSTP bridge. As a
result, two RSTP devices work under RSTP, as shown in Figure 9-11.
Figure 9-10
Figure 9-11
9.3.3 MSTP
MSTP resolves defects of STP and RSTP. It cannot only rapidly converge but also can forward traffic of different VLANs
along respective paths, thereby providing a better load balancing mechanism for redundant links.
Working Principle
Ruijie devices support MSTP. MSTP is a new spanning tree protocol developed from traditional STP and RSTP and includes
the fast RSTP forwarding mechanism.
Since traditional spanning tree protocols are irrelevant to VLANs, problems may occur in specific network topologies:
As shown in Figure 9-12, Devices A and B are in VLAN 1 while Devices C and D are in VLAN 2, forming a loop.
Figure 9-12
9-10
Configuration Guide Configuring MSTP
If the link from Device A to Device B through Devices C and D costs less than the link from Device A direct to Device B, the
link between Device A and Device B enters the discarding state (as shown in Figure 9-13). Since Devices C and D do not
include VLAN 1 and cannot forward data packets of VLAN 1, VLAN 1 of Device A fails to communicate with VLAN 1
of Device B.
Figure 9-13
MSTP is developed to resolve this problem. It divides one or multiple VLANs of a device into an instance. Devices
configured with the same instance form an MST region to run an independent spanning tree (called IST). This MST region,
like a big device, implements the spanning tree algorithm with other MST regions to generate a complete spanning tree
called common spanning tree (CST).
Based on this algorithm, the above network can form the topology shown in Figure 9-14 under the MSTP algorithm: Devices
A and B are in MSTP region 1 in which no loop occurs, and therefore no link enters the discarding state. This also applies to
MSTP Region 2. Region 1 and Region 2, like two big devices having loops, select a link to enter the discarding state based
on related configuration.
Figure 9-14
This prevents loops to ensure proper communication between devices in the same VLAN.
9-11
Configuration Guide Configuring MSTP
To give MSTP its due play, properly divide MSTP regions and configure the same MST configuration information for devices
in the same MSTP region.
MST instance-VLAN mapping table: A maximum number of 64 instances (with their IDs ranging from 1 to 64) are
created for each device and Instance 0 exists mandatorily. Therefore, the system supports a maximum number of 65
instances. Users can assign 1 to 4,994 VLANs belonging to different instances (ranging from 0 to 64) as required.
Unassigned VLANs belong to Instance 0 by default. In this case, each MSTI is a VLAN group and implements the
spanning tree algorithm of the MSTI specified in the BPDU packet, not affected by CIST and other MSTIs.
Run the spanning-tree mst configuration command in global configuration mode to enter the MST configuration mode to
configure the above information.
MSTP BPDUs carry the above information. If the BPDU received by a device carries the same MST configuration
information with the information on the device, it regards that the connected device belongs to the same MST region with
itself. Otherwise, it regards the connected device originated from another MST region.
It is recommended to configure the instance-VLAN mapping table after disabling MSTP. After the configuration,
re-enable MSTP to ensure stability and convergence of the network topology.
After MSTP regions are divided, each region selects an independent root bridge for each instance based on the
corresponding parameters such as bridge priority and port priority, assigns roles to each port on each device, and
specifies whether the port is in forwarding or discarding state in the instance based on the port role.
Through MSTP BPDU exchange, an IST is generated and each instance has their own spanning trees (MSTIs), in which the
spanning tree corresponding to Instance 0 and CST are uniformly called Common Instance Spanning Tree (CIST). That is,
each instance provides a single and loop-free network topology for their own VLAN groups.
As shown in Figure 9-15, Device A has the highest priority in the CIST (Instance 0) and thereby is selected as the region root.
Then MSTP enables the link between A and C to enter the discarding state based on other parameters. Therefore, for the
VLAN group of Instance 0, only links from A to B and from B to C are available, interrupting the loop of this VLAN group.
9-12
Configuration Guide Configuring MSTP
Figure 9-15
As shown in Figure 9-16, Device B has the highest priority in the MSTI 1 (Instance 1) and thereby is selected as the region
root. Then MSTP enables the link between B and C to enter the discarding state based on other parameters. Therefore, for
the VLAN group of Instance 1, only links from A to B and from A to C are available, interrupting the loop of this VLAN group.
Figure 9-16
As shown in Figure 9-17, Device C has the highest priority in the MSTI 2 (Instance 2) and thereby is selected as the region
root. Then MSTP enables the link between B and C to enter the discarding state based on other parameters. Therefore, for
the VLAN group of Instance 2, only links from B to C and from A to C are available, interrupting the loop of this VLAN group.
9-13
Configuration Guide Configuring MSTP
Figure 9-17
Note that MSTP does not care which VLAN a port belongs to. Therefore, users should configure the path cost and priority of
a related port based on the actual VLAN configuration to prevent MSTP from interrupting wrong loops.
Each MSTP region is like a big device for the CST. Different MSTP regions form a bit network topology tree called CST. As
shown in Figure 9-18, Device A, of which the bridge ID is the smallest, is selected as the root in the entire CST and the CIST
regional root in this region. In Region 2, since the root path cost from Device B to the CST root is lowest, Device B is selected
as the CIST regional root in this region. For the same reason, Device C is selected as the CIST regional root.
9-14
Configuration Guide Configuring MSTP
Figure 9-18
The CIST regional root may not be the device of which the bridge ID is the smallest in the region but indicates the device
of which the root path cost from this region to the CST root is the smallest.
For the MSTI, the root port of the CIST regional root has a new role "master port". The master port acts as the outbound port
of all instances and is in forwarding state for all instances. To make the topology more stable, we suggest that the master
port of each region to the CST root be on the same device of the region if possible.
Similar to RSTP, MSTP sends STP BPDUs to be compatible with STP. For details, see "Compatibility Between RSTP and
STP".
Since RSTP processes MSTP BPDUs of the CIST, MSTP does not need to send RSTP BPDUs to be compatible with it.
Each STP or RSTP device is a single region and does not form the same region with any devices.
Working Principle
PortFast
9-15
Configuration Guide Configuring MSTP
If a port of a device connects directly to the network terminal, this port is configured as a PortFast port to directly enter the
forwarding state. If the PortFast port is not configured, the port needs to wait for 30 seconds to enter the forwarding state.
Figure 9-19 shows which ports of a device can be configured as PortFast ports.
Figure 9-19
If a PortFast port still receives BPDUs, its Port Fast Operational State is Disabled and the port enters the forwarding state
according to the normal STP algorithm.
BPDU Guard
It is recommended to run the spanning-tree portfast bpduguard default command in global configuration mode to enable
global BPDU guard. If PortFast is enabled on a port or this port is automatically identified as an edge port, this port enters the
error-disabled state to indicate the configuration error immediately after receiving a BPDU. At the same time, the port is
disabled, indicating that a network device may be added by an unauthorized user to change the network topology.
It is also recommended to run the spanning-tree bpduguard enable command in interface configuration mode to enable
BPDU guard on a port (whether PortFast is enabled or not on the port). In this case, the port enters the error-disabled state
immediately after receiving a BPDU.
BPDU Filter
It is recommended to run the spanning-tree portfast bpdufilter default command in global configuration mode to enable
global BPDU filter. In this case, the PortFast port neither receives nor sends BPDUs and therefore the host connecting
directly to the PortFast port receives no BPDUs. If the port changes its Port Fast Operational State to Disabled after receiving
a BPDU, BPDU filter automatically loses effect.
It is also recommended to run the spanning-tree bpdufilter enable command in interface configuration mode to enable
BPDU filter on a port (whether PortFast is enabled or not on the port). In this case, the port neither receives nor sends
BPDUs but directly enters the forwarding state.
TC Protection
9-16
Configuration Guide Configuring MSTP
TC BPDUs are BPDU packets carrying the TC. If a switch receives such packets, it indicates the network topology changes
and the switch will delete the MAC address table. For Layer-3 switches in this case, the forwarding module is re-enabled and
the port status in the ARP entry changes. When a switch is attacked by forged TC BPDUs, it will frequently perform the
above operations, causing heavy load and affecting network stability. To prevent this problem, you can enable TC protection.
TC protection can only be globally enabled or disabled. This function is disabled by default.
When TC protection is enabled, the switch deletes TC BPDUs within a specified period (generally 4 seconds) after receiving
them and monitors whether any TC BPDU packet is received during the period. If a device receives TC BPDU packets during
this period, it deletes them when the period expires. This can prevent the device from frequently deleting MAC address
entries and ARP entries.
TC Guard
TC protection ensures less dynamic MAC addresses and ARP entries removed when a large number of TC packets are
generated on the network. However, a device receiving TC attack packets still performs many removal operations and TC
packets can be spread, affecting the entire network. Users can enable TC guard to prevent TC packets from spreading
globally or on a port. If TC guard is enabled globally or on a port, a port receiving TC packets filters these TC packets or TC
packets generated by itself so that TC packets will not be spread to other ports. This can effectively control possible TC
attacks in the network to ensure network stability. Particularly on Layer-3 devices, this function can effectively prevent the
access-layer device from flapping and interrupting the core route.
It is recommended to enable this function only when illegal TC attack packets are received in the network.
If TC guard is enabled globally, no port spreads TC packets to others. This function can be enabled only on laptop
access devices.
If TC guard is enabled on a port, the topology changes incurred and TC packets received on the port will not be spread
to other ports. This function can be enabled only on uplink ports, particularly on ports of the convergence core.
TC Filter
If TC guard is enabled on a port, the port does not forward TC packets received and generated by the port to other ports
performing spanning tree calculation on the device. When the status of a port changes (for example, from blocking to
forwarding), the port generates TC packets, indicating that the topology may have changed.
In this case, since TC guard prevents TC packets from spreading, the device may not clear the MAC addresses of the
port when the network topology changes, causing a data forwarding error.
To resolve this problem, TC filter is introduced. TC filter does not process TC packets received by ports but processes TC
packets in case of normal topology changes. If TC filter is enabled, the address removal problem will be avoided and the core
route will not be interrupted when ports not enabled with PortFast frequently go up or down, and the core routing entries can
be updated in a timely manner when the topology changes.
9-17
Configuration Guide Configuring MSTP
BPDU source MAC address check prevents BPDU packets from maliciously attacking switches and causing MSTP abnormal.
When the switch connected to a port on a point-to-point link is determined, you can enable BPDU source MAC address
check to receive BPDU packets sent only by the peer switch and discard all other BPDU packets, thereby preventing
malicious attacks. You can enable the BPDU source MAC address check in interface configuration mode for a specific port.
One port can only filter one MAC address. If you run the no bpdu src-mac-check command to disable BPDU source MAC
address check on a port, the port receives all BPDU packets.
BPDU Filter
If the Ethernet length of a BPDU exceeds 1,500, this BPDU will be discarded, preventing receipt of illegal BPDU packets.
Auto Edge
If the designated port of a device does not receive a BPDU from the downlink port within a specific period (3 seconds), the
device regards a network device connected to the designated port, configures the port as an edge port, and switches the port
directly into the forwarding state. The edge port will be automatically identified as a non-edge port after receiving a BPDU.
You can run the spanning-tree autoedge disabled command to disable Auto Edge.
If Auto Edge conflicts with the manually configured PortFast, the manual configuration prevails.
Since this function is used for rapid negotiation and forwarding between the designated port and the downlink port, STP
does not support this function. If the designated port is in forwarding state, the Auto Edge configuration does not take
effect on this port. It takes only when rapid negotiation is re-performed, for example, when the network cable is removed
and plugged.
If BPDU filter has been enabled on a port, the port directly enters the forwarding state and is not automatically identified
as an edge port.
Root Guard
In the network design, the root bridge and backup root bridge are usually divided into the same region. Due to incorrect
configuration of maintenance personnel or malicious attacks in the network, the root bridge may receive configuration
information with a higher priority and thereby switches to the backup root bridge, causing incorrect changes in the network
topology. Root guard is to resolve this problem.
If root guard is enabled on a port, its roles on all instances are enforced as the designated port. Once the port receives
configuration information with a higher priority, it enters the root-inconsistent (blocking) state. If the port does not receive
configuration information with a higher priority within a period, it returns to its original state.
If a port enters the blocking state due to root guard, you can manually restore the port to the normal state by disabling root
guard on this port or disabling spanning tree guard (running spanning-tree guard none in interface configuration mode).
If root guard is enabled on a non-designated port, this port will be enforced as a designated port and enter the BKN
state. This indicates that the port enters the blocking state due to root inconsistency.
9-18
Configuration Guide Configuring MSTP
If a port enters the BKN state due to receipt of configuration information with a higher priority in MST0, this port will be
enforced in the BKN state in all other instances.
Root guard and loop guard cannot take effect on a port at the same time.
Loop Guard
Due to the unidirectional link failure, the root port or backup port becomes the designated port and enters the forwarding
state if it does not receive BPDUs, causing a network loop. Loop guard is to prevent this problem.
If a port enabled with loop guard does not receive BPDUs, the port switches its role but stays in discarding state till it receives
BPDUs and recalculates the spanning tree.
Root guard and loop guard cannot take effect on a port at the same time.
Before MSTP is restarted on a port, the port enters the blocking state in loop guard. If the port still receives no BPDU
after MSTP is restarted, the port will become a designated port and enter the forwarding state. Therefore, it is
recommended to identify the cause why a port enters the blocking state in loop protection and rectify the fault as soon
as possible before restarting MSTP. Otherwise, the spanning tree topology will still become abnormal after MSTP is
restarted.
In IEEE 802.1Q, the destination MAC address 01-80-C2-00-00-00 of the BPDU is used as a reserved address. That is,
devices compliant with IEEE 802.1Q do not forward the BPDU packets received. However, devices may need to
transparently transmit BPDU packets in actual network deployment. For example, if STP is disabled on a device, the device
needs to transparently transmit BPDU packets so that the spanning tree between devices is properly calculated.
BPDU transparent transmission takes effect only when STP is disabled. If STP is enabled on a device, the device does
not transparently transmit BPDU packets.
BPDU Tunnel
The QinQ network is generally divided into two parts: customer network and SP network. Before a user packet enters the SP
network, it is encapsulated with the VLAN tag of an SP network and also retains the original VLAN tag as data. As a result,
the packet carries two VLAN tags to pass through the SP network. In the SP network, packets are transmitted only based on
the outer-layer VLAN tag. When packets leave the SP network, the outer-layer VLAN tag is removed.
The STP packet transparent transmission feature, namely BPDU Tunnel, can be used to realize the transmission of STP
packets between the customer network without any impact on the SP network. If an STP packet sent from the customer
network enters a PE, the PE changes the destination MAC address of the packet to a private address before the packet is
forwarded by the SP network. When the packet reaches the PE at the peer end, the PE changes the destination MAC
address to a public address and returns the packet to the customer network at the peer end, realizing transparent
transmission across the SP network. In this case, STP on the customer network is calculated independently of that on the SP
network.
9-19
Configuration Guide Configuring MSTP
9.4 Configuration
(Optional) It is used to configure the path cost of a port or the default path cost
calculation method.
Configuring the Port Path
Cost spanning-tree cost Configures the port path cost.
Configures the default path cost calculation
spanning-tree pathcost method
method.
Configuring the Maximum (Optional) It is used to configure the maximum hop count of a BPDU packet.
Hop Count of a BPDU
Configures the maximum hop count of a
Packet spanning-tree max-hops
BPDU packet.
9-20
Configuration Guide Configuring MSTP
Notes
STP is disabled by default. Once STP is enabled, the device starts to run STP. The device runs MSTP by default.
STP and Transparent Interconnection of Lots of Links (TRILL) of the data center cannot be enabled at the same time.
9-21
Configuration Guide Configuring MSTP
Configuration Steps
Enabling STP
Mandatory.
Run the spanning-tree [ forward-time seconds | hello-time seconds | max-age seconds ] command to enable STP
and configure basic attributes.
The forward-time ranges from 4 to 30. The hello-time ranges from 1 to 10. The max-age ranges from 6 to 40.
Running the clear commands may lose vital information and thus interrupt services. The value ranges of forward-time,
hello-time, and max-age are related. If one of them is modified, the other two ranges are affected. The three values
must meet the following condition: 2 x (Hello Time + 1 second) <= Max-Age Time <= 2 x (Forward-Delay Time –1
second). Otherwise, the configuration will fail.
Command spanning-tree [ forward-time seconds | hello-time seconds | max-age seconds | tx-hold-count numbers]
Parameter De forward-time seconds: Indicates the interval when the port status changes. The value ranges from 4 to 30
scription seconds. The default value is 15 seconds.
hello-time seconds: Indicates the interval when a device sends a BPDU packet. The value ranges from 1 to
10 seconds. The default value is 2 seconds.
max-age second: Indicates the longest TTL of a BPDU packet. The value ranges from 6 to 40 seconds. The
default value is 20 seconds.
tx-hold-count numbers: Indicates the maximum number of BPDUs sent per second. The value ranges from
1 to 10. The default value is 3.
Defaults STP is disabled by default.
Command Global configuration mode
Mode
Usage Guide The value ranges of forward-time, hello-time, and max-age are related. If one of them is modified, the other
two ranges are affected. The three values must meet the following condition:
2 x (Hello Time + 1 second) <= Max-Age Time <= 2 x (Forward-Delay Time – 1 second)
Otherwise, the topology may become unstable and the configuration will fail.
Optional.
According to related 802.1 protocol standards, STP, RSTP, and MSTP are mutually compatible, without any
configuration by the administrator. However, some vendors' devices do not work according to 802.1 protocol standards,
possibly causing incompatibility. Therefore, Ruijie provides a command for the administrator to switch the STP mode to
a lower version if other vendors' devices are incompatible with Ruijie devices.
Run the spanning-tree mode [ stp | rstp | mstp ] command to modify the STP mode.
9-22
Configuration Guide Configuring MSTP
Verification
Configuration Example
Scenario
Figure 9-20
Configuration Enable STP and set the STP mode to STP on the devices.
Steps Configure the timer parameters of root bridge DEV A as follows: Hello Time=4s, Max Age=25s,
Forward Delay=18s.
DEV A
Step 1: Enable STP and set the STP mode to STP.
Ruijie#configure terminal
Ruijie(config)#spanning-tree
Ruijie(config)#spanning-tree hello-time 4
Ruijie(config)#spanning-tree max-age 25
Ruijie(config)#spanning-tree forward-time 18
9-23
Configuration Guide Configuring MSTP
DEV B
Enable STP and set the STP mode to STP.
Ruijie#configure terminal
Ruijie(config)#spanning-tree
Verification Run the show spanning-tree summary command to display the spanning tree topology and protocol
configuration parameters.
DEV A
Ruijie#show spanning-tree summary
Root ID Priority 0
Address 00d0.f822.3344
Bridge ID Priority 0
Address 00d0.f822.3344
DEV B
Ruijie#show spanning-tree summary
Root ID Priority 0
Address 00d0.f822.3344
9-24
Configuration Guide Configuring MSTP
Address 001a.a917.78cc
Common Errors
9.4.2 The STP timer parameters will take effect only when the device is set as the root
bridge of the STP.Configuring STP Compatibility
Configuration Effect
Enable the compatibility mode of a port to realize interconnection between Ruijie devices and other SPs' devices.
Enable protocol migration to perform forcible version check to affect the compatibility between RSTP and STP.
Notes
If the compatibility mode is enabled on a port, this port will add different MSTI information into the to-be-sent BPDU
based on the current port to realize interconnection between Ruijie devices and other SPs' devices.
Configuration Steps
Optional.
Optional.
9-25
Configuration Guide Configuring MSTP
If the peer device supports RSTP, you can enforce version check on the local device to force the two devices to run
RSTP.
Run the clear spanning-tree detected-protocols [ interface interface-id ] command to enforce version check on a
port. For details, see "Compatibility Between RSTP and STP".
Verification
Configuration Example
Scenario
Figure 9-21
Configuration Configure Instances 1 and 2 on Devices A and B, and map Instance 1 with VLAN 10 and Instance
Steps 2 with VLAN 20.
Configure Gi0/1 and Gi0/2 to respectively belong to VLAN 10 and VLAN 20, and enable STP
compatibility.
DEV A
Step 1: Configure Instances 1 and 2, and map Instances 1 and 2 respectively with VLANs 10 and 20.
Ruijie#configure terminal
Ruijie(config-mst)#instance 1 vlan 10
Ruijie(config-mst)#instance 2 vlan 20
9-26
Configuration Guide Configuring MSTP
Step 2: Configure the VLAN the port belongs to, and enable STP compatibility on the port.
Ruijie(config)#int gi 0/1
DEV B
Perform the same steps as DEV A.
Verification Run the show spanning-tree summary command to check whether the spanning tree topology is
correctly calculated.
DEV A
Ruijie#show spanning-tree summary
Address 001a.a917.78cc
Address 001a.a917.78cc
Address 001a.a917.78cc
9-27
Configuration Guide Configuring MSTP
Address 001a.a917.78cc
Address 001a.a917.78cc
Address 001a.a917.78cc
DEV B
Ruijie#show spanning-tree summary
Address 001a.a917.78cc
Address 00d0.f822.3344
9-28
Configuration Guide Configuring MSTP
Address 001a.a917.78cc
Address 00d0.f822.3344
Address 001a.a917.78cc
Address 00d0.f822.3344
Common Errors
9-29
Configuration Guide Configuring MSTP
N/A
Configure an MSTP region to adjust which devices belong to the same MSTP region and thereby affect the network
topology.
Notes
To make multiple devices belong to the same MSTP region, configure the same name, revision number, and
instance-VLAN mapping table for them.
You can configure VLANs for Instances 0 to 64, and then the remaining VLANs are automatically allocated to Instance
0. One VLAN belongs to only one instance.
It is recommended to configure the instance-VLAN mapping table after disabling STP. After the configuration, re-enable
MSTP to ensure stability and convergence of the network topology.
Configuration Steps
Optional.
Configure an MSTP region when multiple devices need to belong to the same MSTP region.
Run the spanning-tree mst configuration command to enter the MST configuration mode.
Run the instance instance-id vlan vlan-range command to configure the MSTI-VLAN mapping.
Run the revision version command to configure the MST version number.
9-30
Configuration Guide Configuring MSTP
Mode
Usage Guide To add a VLAN group to an MSTI, run this command.
For example,
instance 1 vlan 2-200: Adds VLANs 2 to 200 to Instance 1.
instance 1 vlan 2,20,200: Adds VLANs 2, 20, and 200 to Instance 1.
You can use the no form of this command to remove VLANs from an instance. Removed VLANs are
automatically forwarded to Instance 0.
Verification
Run the show spanning-tree mst configuration command to display the MSTP region configuration.
Configuration Example
9-31
Configuration Guide Configuring MSTP
Scenario
Figure 9-22
A(config)#vlan 10
A(config-vlan)#vlan 20
A(config-vlan)#exit
A(config-if-range)#int ag 1
A(config)#spanning-tree
A(config-mst)#instance 1 vlan 10
A(config-mst)#instance 2 vlan 20
A(config-mst)#exit
9-32
Configuration Guide Configuring MSTP
Step 4: Configure VRRP priorities to enable Switch A to act as the VRRP master device of VLAN 10, and
configure the virtual gateway IP address of VRRP.
A(config)#interface vlan 10
Step 5 Set the VRRP priority to the default value 100 to enable Switch A to act as the VRRP backup device
of VLAN 20.
A(config)#interface vlan 20
B Step 1: Configure VLANs 10 and 20, and configure ports as Trunk ports.
B(config)#vlan 10
B(config-vlan)#vlan 20
B(config-vlan)#exit
B(config-if-range)#int ag 1
B(config)#spanning-tree
B(config-mst)#instance 1 vlan 10
B(config-mst)#instance 2 vlan 20
B(config-mst)#exit
9-33
Configuration Guide Configuring MSTP
B(config)#interface vlan 10
Step 5 Set the VRRP priority to 120 to enable Switch B to act as the VRRP backup device of VLAN 20.
B(config)#interface vlan 20
C Step 1: Configure VLANs 10 and 20, and configure ports as Trunk ports.
C(config)#vlan 10
C(config-vlan)#vlan 20
C(config-vlan)#exit
C(config)#spanning-tree
C(config-mst)#instance 1 vlan 10
C(config-mst)#instance 2 vlan 20
C(config-mst)#exit
Step 3: Configure the port connecting Device C directly to users as a PortFast port and enable BPDU guard.
C(config)#int gi 0/3
9-34
Configuration Guide Configuring MSTP
D
Perform the same steps as Device C.
Verification Run the show spanning-tree summary command to check whether the spanning tree topology is
correctly calculated.
Run the show vrrp brief command to check whether the VRRP master/backup devices are
successfully created.
A
Ruijie#show spanning-tree summary
Address 00d0.f822.3344
Address 00d0.f822.3344
Address 00d0.f822.3344
9-35
Configuration Guide Configuring MSTP
Address 00d0.f822.3344
Address 001a.a917.78cc
Address 00d0.f822.3344
B
Ruijie#show spanning-tree summary
Address 00d0.f822.3344
9-36
Configuration Guide Configuring MSTP
Address 001a.a917.78cc
Address 00d0.f822.3344
Address 001a.a917.78cc
Address 001a.a917.78cc
Address 001a.a917.78cc
9-37
Configuration Guide Configuring MSTP
C
Ruijie#show spanning-tree summary
Address 00d0.f822.3344
Address 001a.a979.00ea
Address 00d0.f822.3344
Address 001a.a979.00ea
9-38
Configuration Guide Configuring MSTP
Address 001a.a917.78cc
Address 001a.a979.00ea
D
Omitted.
Common Errors
VLANs are not created before you configure the mapping between the instance and VLAN.
A device runs STP or RSTP in the MSTP+VRRP topology, but calculates the spanning tree according to the algorithms
of different MST regions.
Notes
If the link type of a port is point-to-point connection, RSTP can rapidly converge. For details, see "Fast RSTP
Convergence". If the link type is not configured, the device automatically sets the link type based on the duplex mode of
the port. If a port is in full duplex mode, the device sets the link type to point-to-point. If a port is in half duplex mode, the
device sets the link type to shared. You can also forcibly configure the link type to determine whether the port
connection is point-to-point connection.
9-39
Configuration Guide Configuring MSTP
Configuration Steps
Optional.
Verification
Run the show spanning-tree [mst instance-id] interface interface-id command to display the spanning tree
configuration of the port.
Configuration Example
Ruijie(config)#int gi 0/1
Verification
Run the show spanning-tree summary command to display the link type of the port.
Address 001a.a917.78cc
9-40
Configuration Guide Configuring MSTP
Address 00d0.f822.3344
Common Errors
N/A
Configure the switch priority to determine a device as the root of the entire network and to determine the topology of the
entire network.
Configure the port priority to determine which port enters the forwarding state.
Notes
It is recommended to set the priority of the core device higher (to a smaller value) to ensure stability of the entire
network. You can assign different switch priorities to different instances so that each instance runs an independent STP
based on the assigned priorities. Devices in different regions use the priority only of the CIST (Instance 0). As described
in bridge ID, the switch priority has 16 optional values: 0, 4,096, 8,192, 12,288, 16,384, 20,480, 24,576, 28,672, 32,768,
36,864, 40,960, 45,056, 49,152, 53,248, 57,344, 61,440. They are integral multiples of 4,096. The default value is
32,768.
If two ports are connected to a shared device, the device selects a port with a higher priority (smaller value) to enter the
forwarding state and a port with a lower priority (larger value) to enter the discarding state. If the two ports have the
same priority, the device selects the port with a smaller port ID to enter the forwarding state. You can assign different
port priorities to different instances on a port so that each instance runs an independent STP based on the assigned
priorities.
Similar to the switch priority, the port priority also has 16 optional values: 0, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160,
176, 192, 208, 224, 240. They are integral multiples of 16. The default value is 128.
Configuration Steps
Optional.
9-41
Configuration Guide Configuring MSTP
Optional.
To change the preferred port entering the forwarding state, configure the port priority.
Verification
Run the show spanning-tree [mst instance-id] interface interface-id command to display the spanning tree
configuration of the port.
Configuration Example
9-42
Configuration Guide Configuring MSTP
Scenario
Figure 9-23
Configuration Configure the bridge priority so that DEV A becomes the root bridge of the spanning tree.
Steps Configure the priority of Gi0/2 on DEV A is 16 so that Gi0/2 on DEV B can be selected as the root port.
DEV A Step 1: Enable STP and configure the bridge priority.
Ruijie(config)#spanning-tree
DEV B
Ruijie(config)#spanning-tree
Verification
Run the show spanning-tree summary command to display the topology calculation result of the
spanning tree.
DEV A
Ruijie# Ruijie#show spanning-tree summary
Root ID Priority 0
Address 00d0.f822.3344
Bridge ID Priority 0
Address 00d0.f822.3344
9-43
Configuration Guide Configuring MSTP
DEV B
Ruijie#show spanning-tree summary
Root ID Priority 0
Address 00d0.f822.3344
Address 001a.a917.78cc
Common Errors
N/A
Configure the path cost of a port to determine the forwarding state of the port and the topology of the entire network.
If the path cost of a port uses its default value, configure the path cost calculation method to affect the calculation result.
Notes
9-44
Configuration Guide Configuring MSTP
A device selects a port as the root port if the path cost from this port to the root bridge is the lowest. Therefore, the port
path cost determines the root port of the local device. The default port path cost is automatically calculated based on
the port rate (Media Speed). A port with a higher rate will have a low path cost. Since this method can calculate the
most scientific path cost, do not change the path cost unless required. You can assign different path costs to different
instances on a port so that each instance runs an independent STP based on the assigned path costs.
If the port path cost uses the default value, the device automatically calculates the port path cost based on the port rate.
However, IEEE 802.1d-1998 and IEEE 802.1t define different path costs for the same link rate. The value is a short
integer ranging from 1 to 65,535 in 802.1d-1998 while is a long integer ranging from 1 to 200,000,000 in IEEE 802.1t.
The path cost of an aggregate port (AP) has two solutions: 1. Ruijie solution: Port Path Cost x 95%; 2. Solution
recommended in standards: 20,000,000,000/Actual link bandwidth of the AP, in which Actual link bandwidth of the AP =
Bandwidth of a member port x Number of active member ports. The administrator must unify the path cost calculation
method in the entire network. The default standard is the private long integer standard.
The following table lists path costs automatically configured for different link rate in two solutions.
Ruijie's long integer standard is used by default. After the solution is changed to the path cost solution recommended by
the standards, the path cost of an AP changes with the number of member ports in UP state. If the port path cost
changes, the network topology also will change.
If an AP is static, linkupcnt in the table is the number of active member ports. If an AP is an LACP AP, linkupcnt in the
table is the number of member ports forwarding AP data. If no member port in the AP goes up, linkupcnt is 1. For details
about AP and LACP, see the Configuring AP.
The modified port path cost takes effect only on the Rx port.
Configuration Steps
Optional.
To determine which port or path data packets prefer to pass through, configure the port path cost.
9-45
Configuration Guide Configuring MSTP
scription cost cost: Indicates the path cost, ranging from 1 to 200,000,000.
Defaults The default value of instance-id is 0.
The default value is automatically calculated based on the port rate.
1000 Mbps—20000
100 Mbps—200000
10 Mbps—2000000
Command Interface configuration mode
Mode
Usage Guide A larger value of cost indicates a higher path cost.
Optional.
To change the path cost calculation method, configure the default path cost calculation method.
Verification
Run the show spanning-tree [mst instance-id] interface interface-id command to display the spanning tree
configuration of the port.
Configuration Example
Scenario
Figure 9-24
9-46
Configuration Guide Configuring MSTP
Configuration Configure the bridge priority so that DEV A becomes the root bridge of the spanning tree.
Steps Configure the path cost of Gi 0/2 on DEV B is 1 so that Gi 0/2 can be selected as the root port.
DEV A
Ruijie(config)#spanning-tree
DEV B
Ruijie(config)#spanning-tree
Verification Run the show spanning-tree summary command to display the topology calculation result of the
spanning tree.
DEV A
Ruijie# Ruijie#show spanning-tree summary
Root ID Priority 0
Address 00d0.f822.3344
Bridge ID Priority 0
Address 00d0.f822.3344
DEV B
Ruijie#show spanning-tree summary
9-47
Configuration Guide Configuring MSTP
Root ID Priority 0
Address 00d0.f822.3344
Address 001a.a917.78cc
Common Errors
N/A
Configure the maximum hop count of a BPDU packet to change the BPDU TTL and thereby affect the network topology.
Notes
The default maximum hop count of a BPDU packet is 20. Generally, it is not recommended to change the default value.
Configuration Steps
(Optional) If the network topology is so large that a BPDU packet exceeds the default 20 hops, it is recommended to
change the maximum hop count.
9-48
Configuration Guide Configuring MSTP
device from the root bridge, the hop count decreases by 1. When the hop count becomes 0, the BPDU times
out and the device discards the packet.
This command specifies the number of devices a BPDU passes through in a region before being discarded.
Changing the maximum hop count will affect all instances.
Verification
Run the show spanning-tree max-hops command to display the configured maximum hop count.
Configuration Example
StpVersion : MSTP
SysStpStatus : ENABLED
MaxAge : 20
HelloTime : 2
ForwardDelay : 15
BridgeMaxAge : 20
BridgeHelloTime : 2
BridgeForwardDelay : 15
MaxHops: 25
TxHoldCount : 3
PathCostMethod : Long
BPDUGuard : Disabled
BPDUFilter : Disabled
LoopGuardDef : Disabled
BridgeAddr : 00d0.f822.3344
9-49
Configuration Guide Configuring MSTP
Priority: 0
TimeSinceTopologyChange : 2d:0h:46m:4s
TopologyChanges : 25
DesignatedRoot : 0.001a.a917.78cc
RootCost : 0
CistRegionRoot : 0.001a.a917.78cc
CistPathCost : 20000
After PortFast is enabled on a port, the port directly enters the forwarding state. However, since the Port Fast
Operational State becomes disabled due to receipt of BPDUs, the port can properly run the STP algorithm and enter the
forwarding state.
If BPDU guard is enabled on a port, the port enters the error-disabled state after receiving a BPDU.
If BPDU filter is enabled on a port, the port neither sends nor receives BPDUs.
Notes
The global BPDU guard takes effect only when PortFast is enabled on a port.
If BPDU filter is enabled globally, a PortFast-enabled port neither sends nor receives BPDUs. In this case, the host
connecting directly to the PortFast-enabled port does not receive any BPDUs. If the port changes its Port Fast
Operational State to Disabled after receiving a BPDU, BPDU filter automatically fails.
The global BPDU filter takes effect only when PortFast is enabled on a port.
Configuration Steps
Enabling PortFast
Optional.
If a port connects directly to the network terminal, configure this port as a PortFast port.
In global configuration mode, run the spanning-tree portfast default command to enable PortFast on all ports and the
no spanning-tree portfast default command to disable PortFast on all ports.
In interface configuration mode, run the spanning-tree portfast command to enable PortFast on a port and the
spanning-tree portfast disabled command to disable PortFast on a port.
9-50
Configuration Guide Configuring MSTP
scription
Defaults PortFast is disabled on all ports by default.
Command Global configuration mode
Mode
Usage Guide N/A
Optional.
If device ports connect directly to network terminals, you can enable BPDU guard on these ports to prevent BPDU
attacks from causing abnormality in the spanning tree topology. A port enabled with BPDU guard enters the
error-disabled state after receiving a BPDU.
If device ports connect directly to network terminals, you can enable BPDU guard to prevent loops on the ports. The
prerequisite is that the downlink device (such as the hub) can forward BPDU packets.
In global configuration mode, run the spanning-tree portfast bpduguard default command to enable BPDU guard on
all ports and the no spanning-tree portfast bpduguard default command to disable BPDU guard on all ports.
In interface configuration mode, run the spanning-tree bpduguard enabled command to enable BPDU guard on a
port and the spanning-tree bpduguard disabled command to disable BPDU guard on a port.
9-51
Configuration Guide Configuring MSTP
scription
Defaults BPDU guard is disabled on a port by default.
Command Interface configuration mode
Mode
Usage Guide If BPDU guard is enabled on a port, the port enters the error-disabled state after receiving a BPDU.
Optional.
To prevent abnormal BPDU packets from affecting the spanning tree topology, you can enable BPDU filter on a port to
filter abnormal BPDU packets.
In global configuration mode, run the spanning-tree portfast bpdufilter default command to enable BPDU filter on all
ports and the no spanning-tree portfast bpdufilter default command to disable BPDU filter on all ports.
In interface configuration mode, run the spanning-tree bpdufilter enabled command to enable BPDU filter on a port
and the spanning-tree bpdufilter disabled command to disable BPDU filter on a port.
Parameter De N/A
scription
Defaults BPDU filter is globally disabled by default.
Command Global configuration mode
Mode
Usage Guide If BPDU filter is enabled, corresponding ports neither send nor receive BPDUs.
Parameter De N/A
scription
Defaults BPDU filter is disabled on a port by default.
Command Interface configuration mode
Mode
Usage Guide If BPDU filter is enabled on a port, the port neither sends nor receives BPDUs.
Verification
Run the show spanning-tree [mst instance-id] interface interface-id command to display the spanning tree
configuration of the port.
Configuration Example
9-52
Configuration Guide Configuring MSTP
Scenario
Figure 9-25
Configuration Configure Gi 0/3 of DEV C as a PortFast port and enable BPDU guard.
Steps
DEV C
Ruijie(config)# int gi 0/3
Verification Run the show spanning-tree interface command to display the port configuration.
DEV C
Ruijie#show spanning-tree int gi 0/3
PortAdminPortFast : Enabled
PortOperPortFast : Enabled
PortAdminAutoEdge : Enabled
PortOperAutoEdge : Enabled
PortAdminLinkType : auto
PortOperLinkType : point-to-point
PortBPDUGuard : Enabled
PortBPDUFilter : Disabled
PortGuardmode : None
9-53
Configuration Guide Configuring MSTP
PortState : forwarding
PortPriority : 128
PortDesignatedRoot : 0.00d0.f822.3344
PortDesignatedCost : 0
PortDesignatedBridge :0.00d0.f822.3344
PortDesignatedPortPriority : 128
PortDesignatedPort : 4
PortForwardTransitions : 1
PortAdminPathCost : 20000
PortOperPathCost : 20000
PortRole : designatedPort
If TC protection is enabled on a port, the port deletes TC BPDU packets within a specified time (generally 4 seconds)
after receiving them, preventing MAC and ARP entry from being removed.
If TC guard is enabled, a port receiving TC packets filters TC packets received or generated by itself so that TC packets
are not spread to other ports. In this way, possible TC attacks are efficiently prevented to keep the network stable.
TC filter does not process TC packets received by ports but processes TC packets in case of normal topology changes.
Notes
It is recommended to enable TC guard only when illegal TC attack packets are received in the network.
Configuration Steps
Enabling TC Protection
Optional.
In global configuration mode, run the spanning-tree tc-protection command to enable TC protection on all ports and
the no spanning-tree tc-protection command to disable TC protection on all ports.
9-54
Configuration Guide Configuring MSTP
Enabling TC Guard
Optional.
To filter TC packets received or generated due to topology changes, you can enable TC guard.
In global configuration mode, run the spanning-tree tc-protection tc-guard command to enable TC guard on all ports
and the no spanning-tree tc-protection tc-guard command to disable TC guard on all ports.
In interface configuration mode, run the spanning-tree tc-guard command to enable TC guard on a port and the no
spanning-tree tc-guard command to disable TC guard on a port.
Enabling TC Filter
Optional.
To filter TC packets received on a port, you can enable TC filter on the port.
In interface configuration mode, run the spanning-tree ignore tc command to enable TC filter on a port and the no
spanning-tree ignore tc command to disable it on a port.
9-55
Configuration Guide Configuring MSTP
scription
Defaults TC filter is disabled by default.
Command Interface configuration mode
Mode
Usage Guide If TC filter is enabled on a port, the port does not process received TC packets.
Verification
Configuration Example
Ruijie(config)#int gi 0/1
Verification Run the show run interface command to display the TC guard configuration of the port.
Building configuration...
spanning-tree tc-guard
Common Errors
If TC guard or TC filter is incorrectly configured, an error may occur during packet forwarding of the network device. For
example, when the topology changes, the device fails to clear MAC address in a timely manner, causing packet
forwarding errors.
Enable BPDU source MAC address check. After this, a device receives only BPDU packets with the source MAC
address being the specified MAC address and discards other BPDU packets.
Notes
9-56
Configuration Guide Configuring MSTP
When the switch connected to a port on a point-to-point link is determined, you can enable BPDU source MAC address
check so that the switch receives the BPDU packets sent only by the peer switch.
Configuration Steps
Optional.
To prevent malicious BPDU attacks, you can enable BPDU source MAC address check.
In interface configuration mode, run the bpdu src-mac-check H.H.H command to enable BPDU source MAC address
check on a port and the no bpdu src-mac-check command to disable it on a port.
Verification
Configuration Example
Ruijie(config)#int gi 0/1
Verification Run the show run interface command to display the spanning tree configuration of the port.
Building configuration...
9-57
Configuration Guide Configuring MSTP
Common Errors
If BPDU source MAC address check is enabled on a port, the port receives only BPDU packets with the configured
MAC address being the source MAC address and discards all other BPDU packets.
Enable Auto Edge. If a designated port does not receive any BPDUs within a specified time (3 seconds), it is
automatically identified as an edge port. However, if the port receives BPDUs, its Port Fast Operational State will
become Disabled.
Notes
Unless otherwise specified, do not disable Auto Edge.
Configuration Steps
Optional.
In interface configuration mode, run the spanning-tree autoedge command to enable Auto Edge on a port and the
spanning-tree autoedge disabled command to disable it on a port.
You can run the spanning-tree autoedge disabled command to disable Auto Edge.
9-58
Configuration Guide Configuring MSTP
Verification
Configuration Example
Ruijie(config)#int gi 0/1
Verification Run the show spanning-tree interface command to display the spanning tree configuration of the
port.
PortAdminPortFast : Disabled
PortOperPortFast : Disabled
PortAdminAutoEdge : Disabled
PortOperAutoEdge : Disabled
PortAdminLinkType : point-to-point
PortOperLinkType : point-to-point
PortBPDUGuard : Disabled
PortBPDUFilter : Disabled
PortGuardmode : None
PortState : forwarding
PortPriority : 128
PortDesignatedRoot : 0.00d0.f822.3344
PortDesignatedCost : 0
PortDesignatedBridge :0.00d0.f822.3344
PortDesignatedPortPriority : 128
PortDesignatedPort : 2
PortForwardTransitions : 6
9-59
Configuration Guide Configuring MSTP
PortAdminPathCost : 20000
PortOperPathCost : 20000
PortRole : designatedPort
Common Errors
If the designated port of a device does not receive a BPDU from the downlink port within a specific period (3 seconds), the
device regards a network device connected to the designated port, configures the port as an edge port, and switches the port
directly into the forwarding state. It is recommended to disable the Auto Edge function, if packet loss or Tx/Rx packet delay
exists in the network environment.
If root guard is enabled on a port, its roles on all instances are enforced as the designated port. Once the port receives
configuration information with a higher priority, it enters the root-inconsistent (blocking) state. If the port does not
receive configuration information with a higher priority within a period, it returns to its original state.
Due to the unidirectional link failure, the root port or backup port becomes the designated port and enters the forwarding
state if it does not receive BPDUs, causing a network loop. Loop guard is to prevent this problem.
Notes
Root guard and loop guard cannot take effect on a port at the same time.
Configuration Steps
Optional.
The root bridge may receive configuration with a higher priority due to incorrect configuration by maintenance personnel
or malicious attacks in the network. As a result, the current root bridge may lose its role, causing incorrect topology
changes. To prevent this problem, you can enable root guard on a designated port of a device.
In interface configuration mode, run the spanning-tree guard root command to enable root guard on a port and the no
spanning-tree guard root command to disable it on a port.
9-60
Configuration Guide Configuring MSTP
attacks.
Optional.
You can enable loop guard on a port (root port, master port, or AP) to prevent it from failing to receive BPDUs sent by
the designated bridge, increasing device stability. Otherwise, the network topology will change, possibly causing a loop.
In global configuration mode, run the spanning-tree loopguard default command to enable loop guard on all ports
and the no spanning-tree loopguard default command to disable it on all ports.
In interface configuration mode, run the spanning-tree guard loop command to enable loop guard on a port and the
no spanning-tree guard loop command to disable it on a port.
Disabling Guard
Optional.
Verification
9-61
Configuration Guide Configuring MSTP
Configuration Example
Scenario
Figure 9-26
Configuration Configure DEV A as the root bridge and DEV B as a non-root bridge on a spanning tree.
Steps Enable loop guard on ports Gi 0/1 and Gi 0/2 of DEV B.
DEV A
Ruijie(config)#spanning-tree
DEV B
Ruijie(config)#spanning-tree
Verification Run the show spanning-tree interface command to display the spanning tree configuration of the
port.
DEV A
Omitted.
DEV B
Ruijie#show spanning-tree int gi 0/1
PortAdminPortFast : Disabled
PortOperPortFast : Disabled
PortAdminAutoEdge : Enabled
PortOperAutoEdge : Disabled
PortAdminLinkType : auto
PortOperLinkType : point-to-point
PortBPDUGuard : Disabled
9-62
Configuration Guide Configuring MSTP
PortBPDUFilter : Disabled
PortState : forwarding
PortPriority : 128
PortDesignatedRoot : 0.001a.a917.78cc
PortDesignatedCost : 0
PortDesignatedBridge :0.001a.a917.78cc
PortDesignatedPortPriority : 128
PortDesignatedPort : 17
PortForwardTransitions : 1
PortAdminPathCost : 20000
PortOperPathCost : 20000
PortRole : rootPort
PortAdminPortFast : Disabled
PortOperPortFast : Disabled
PortAdminAutoEdge : Enabled
PortOperAutoEdge : Disabled
PortAdminLinkType : auto
PortOperLinkType : point-to-point
PortBPDUGuard : Disabled
PortBPDUFilter : Disabled
PortState : discarding
PortPriority : 128
9-63
Configuration Guide Configuring MSTP
PortDesignatedRoot : 0.001a.a917.78cc
PortDesignatedCost : 0
PortDesignatedBridge :0.001a.a917.78cc
PortDesignatedPortPriority : 128
PortDesignatedPort : 18
PortForwardTransitions : 1
PortAdminPathCost : 20000
PortOperPathCost : 20000
PortRole : alternatePort
Common Errors
If root guard is enabled on the root port, master port, or AP, the port may be incorrectly blocked.
If STP is disabled on a device, the device needs to transparently transmit BPDU packets so that the spanning tree
between devices is properly calculated.
Notes
BPDU transparent transmission takes effect only when STP is disabled. If STP is enabled on a device, the device does
not transparently transmit BPDU packets.
Configuration Steps
Optional.
If STP is disabled on a device that needs to transparently transmit BPDU packets, enable BPDU transparent
transmission.
In global configuration mode, run the bridge-frame forwarding protocol bpdu command to enable BPDU transparent
transmission and the no bridge-frame forwarding protocol bpdu command to disable it.
BPDU transparent transmission takes effect only when STP is disabled. If STP is enabled on a device, the device does
not transparently transmit BPDU packets.
9-64
Configuration Guide Configuring MSTP
Verification
Configuration Example
Scenario
Figure 9-27
Verification Run the show run command to check whether BPDU transparent transmission is enabled.
DEV B
Ruijie#show run
Building configuration...
Enable BPDU Tunnel so that STP packets from the customer network can be transparently transmitted across the SP
network. STP packet transmission between the customer network does not affect the SP network, causing STP on the
customer network to be calculated independently of that on the SP network.
9-65
Configuration Guide Configuring MSTP
Notes
BPDU Tunnel takes effect only when it is enabled in both global configuration mode and interface configuration mode.
Configuration Steps
(Optional) In a QinQ network, you can enable BPDU Tunnel if STP needs to be calculated separately between
customer networks and SP networks.
In global configuration mode, run the l2protocol-tunnel stp command to globally enable BPDU Tunnel and the no
l2protocol-tunnel stp command to globally disable it.
In interface configuration mode, run the l2protocol-tunnel stp enable command to enable BPDU Tunnel on a port and
the no l2protocol-tunnel stp enable command to disable it on a port.
Run the l2protocol-tunnel stp tunnel-dmac mac-address command in global configuration mode to configure the
transparent transmission address of BPDU Tunnel.
BPDU Tunnel takes effect only when it is enabled in both global configuration mode and interface configuration mode.
9-66
Configuration Guide Configuring MSTP
If no transparent transmission address is configured, BPDU Tunnel uses the default address
01d0.f800.0005.
Verification
Run the show l2protocol-tunnel stp command to display the BPDU Tunnel configuration.
Configuration Example
Scenario
Figure 9-28
Configuration Enable basic QinQ on the PEs (Provider S1/Provider S2 in this example) so that data packets of the
Steps customer network are transmitted within VLAN 200 on the SP network.
Enable STP transparent transmission on the PEs (Provider S1/Provider S2 in this example) so that the
SP network can transmit STP packets of the customer network through BPDU Tunnel.
Provider S1
Step 1: Create VLAN 200 on the SP network.
Ruijie#configure terminal
9-67
Configuration Guide Configuring MSTP
Ruijie(config)#vlan 200
Ruijie(config-vlan)#exit
Step 2: Enable basic QinQ on the port connected to the customer network and use VLAN 20 for tunneling.
Step 3: Enable STP transparent transmission on the port connected to the customer network.
Ruijie(config-if-GigabitEthernet 0/1)#exit
Ruijie(config)#l2protocol-tunnel stp
Provider S2
Configure Provider S2 by performing the same steps.
Ruijie#show running-config
9-68
Configuration Guide Configuring MSTP
Provider S2
Verify Provider S2 configuration by performing the same steps.
Common Errors
In the SP network, BPDU packets can be correctly transparently transmitted only when the transparent transmission
addresses of BPDU Tunnel are consistent.
9.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears the statistics of packets sent clear spanning-tree counters [ interface interface-id ]
and received on a port.
Clears the STP topology change clear spanning-tree mst instance-id topochange record
information.
Displaying
Description Command
Displays MSTP parameters and spanning tree topology
show spanning-tree
information.
Displays the count of sent and received MSTP packets. show spanning-tree counters [ interface interface-id ]
Displays MSTP instances and corresponding port
show spanning-tree summary
forwarding status.
Displays the ports that are blocked by root guard or loop
show spanning-tree inconsistentports
guard.
Displays the configuration of an MST region. show spanning-tree mst configuration
Displays MSTP information of an instance. show spanning-tree mst instance-id
Displays MSTP information of the instance
show spanning-tree mst instance-id interface interface-id
corresponding to a port.
Displays topology changes of a port in an instance. show spanning-tree mst instance-id topochange record
9-69
Configuration Guide Configuring MSTP
Debugging
System resources are occupied when debugging information is output. Therefore, disable the debugging switch
immediately after use.
Description Command
Debugs all STPs. debug mstp all
Debugs MSTP Graceful Restart (GR). debug mstp gr
Debugs BPDU packet receiving. debug mstp rx
Debugs BPDU packet sending. debug mstp tx
Debugs MSTP events. debug mstp event
Debugs loop guard. debug mstp loopguard
Debugs root guard. debug mstp rootguard
Debugs the bridge detection state machine. debug mstp bridgedetect
Debugs the port information state machine. debug mstp portinfo
Debugs the port protocol migration state debug mstp protomigrat
machine.
Debugs MSTP topology changes. debug mstp topochange
Debugs the MSTP receiving state machine. debug mstp receive
Debugs the port role transition state debug mstp roletran
machine.
Debugs the port state transition state debug mstp statetran
machine.
Debugs the MSTP sending state machine. debug mstp transmit
9-70
Configuration Guide Configuring GVRP
10 Configuring GVRP
10.1 Overview
The GARP VLAN Registration Protocol (GVRP) is an application of the Generic Attribute Registration Protocol (GARP) used
to dynamically configure and proliferate VLAN memberships.
GVRP simplifies VLAN configuration and management. It reduces the workload of manually configuring VLANs and adding
ports to VLANs, and reduces the possibility of network disconnection due to inconsistent configuration. With GVRP, you can
dynamically maintain VLANs and add/remove ports to/from VLANs to ensure VLAN connectivity in a topology.
10.2 Applications
Application Description
GVRP Configuration in a LAN Connect two switches in a local area network (LAN) and realize VLAN
synchronization.
GVRP PDUs Tunnel Application Use the GVRP Protocol Data Units (PDUs) Tunnel feature to transparently transmit
GVRP packets through a tunnel in a QinQ network environment.
Enable GVRP and set the GVRP registration mode to Normal to register and deregister all dynamic and static VLANs
between Device A and Device F.
Figure 10-1
10-1
Configuration Guide Configuring GVRP
Remarks Device A, Device B, Device C, Device D, Device E, and Device F are switches. The ports connected between two
devices are Trunk ports.
On Device A and Device F, configure static VLANs used for communication.
Enable GVRP on all switches.
Deployment
On each device, enable the GVRP and dynamic VLAN creation features, and ensure that dynamic VLANs can be
created on intermediate devices.
On Device A and Device F, configure static VLANs used for communication. Device B, Device C, Device D, and Device
E will dynamically learn the VLANs through GVRP.
It is recommended that the Spanning Tree Protocol (STP) be enabled to avoid loops in the customer network topology.
A QinQ network environment is generally divided into a customer network and a service provider (SP) network. The GVRP
PDUs Tunnel feature allows GVRP packets to be transmitted between customer networks without impact on SP networks.
The GVRP calculation in customer networks is separated from that in SP networks without interference.
Remarks Figure 10-2 shows an SP network and a customer network. The SP network contains the provider edge (PE)
devices Provider S1 and Provider S2. Customer Network A1 and Customer Network A2 are the same customer's
two sites in different locations. Customer S1 and Customer S2 are the access devices in the customer
network, which are connected to the SP network through Provider S1 and Provider S2 respectively.
The GVRP PDUs Tunnel feature allows Customer Network A1 and Customer Network A2 to perform unified
GVRP calculation across the SP network, without impact on the SP network's GVRP calculation.
10-2
Configuration Guide Configuring GVRP
Deployment
Enable basic QinQ on the PEs (Provider S1 and Provider S2) in the SP network to transmit data packets from the
customer network through a specified VLAN in the SP network.
Enable GVRP transparent transmission on the PEs (Provider S1 and Provider S2) in the SP network to allow the SP
network to tunnel GVRP packets from the customer network via the GVRP PDUs Tunnel feature.
10.3 Features
Basic Concepts
GVRP
GVRP is an application of GARP used to register and deregister VLAN attributes in the following modes:
When a port receives a VLAN attribute declaration, the port will register the VLAN attributes contained in the declaration
(that is, the port will join the VLAN).
When a port receives a VLAN attribute revocation declaration, the port will deregister the VLAN attributes contained in
the declaration (that is, the port will exit the VLAN).
Figure 10-3
Dynamic VLAN
A VLAN that can be dynamically created and deleted without the need for manual configuration is called a dynamic VLAN.
You can manually convert a dynamic VLAN to a static VLAN, but not the way around.
A protocol state machine controls the joining of ports to dynamic VLANs created through GVRP. Only the Trunk ports that
receive GVRP VLAN attribute declaration can join these VLANs. You cannot manually add ports to dynamic VLANs.
Message Types
When a GARP application entity hopes other GARP entities to register its attributes, it will send a Join message. When a
GARP entity receives a Join message from another entity or requires other entities to register its static attributes, it will send
a Join message. There are two types of Join message: JoinEmpty and JoinIn.
10-3
Configuration Guide Configuring GVRP
When a GARP application entity hopes other GARP entities to deregister its attributes, it will send a Leave message. When a
GARP entity receives a Leave message from another entity or requires other entities to deregister its statically deregistered
attributes, it will send a Leave message. There are two types of Leave message: LeaveEmpty and LeaveIn.
Each GARP application entity starts its LeaveAll timer during startup. When the timer times out, the entity sends a LeaveAll
message to deregister all attributes to enable other GARP entities to reregister attributes. When the GARP application entity
receives a LeaveAll message from another entity, it also sends a LeaveAll message. The LeaveAll timer is restarted when a
LeaveAll message is sent again to initiate a new cycle.
Timer Types
The Hold timer controls the sending of GARP messages (including Join and Leave messages). When a GARP application
entity has its attributes changed or receives a GARP message from another entity, it starts the Hold timer. During the timeout
period, the GARP application entity encapsulates all GARP messages to be sent into packets as few as possible, and sends
the packets when the timer times out. This reduces the quantity of sent packets and saves bandwidth resources.
The Join timer controls the sending of Join messages. After a GARP application entity sends a Join message, it waits for one
timeout interval of the Join timer to ensure that the Join message is reliably transmitted to another entity. If the GARP
application entity receives a JoinIn message from another entity before the timer times out, it will not resend the Join
message; otherwise, it will resend the Join message. Not each attribute has its own Join timer, but each GARP application
entity has one Join timer.
The Leave timer controls attribute deregistration. When a GARP application entity hopes other entities to deregister one of its
attributes, it sends a Leave message. Other entities which receive the Leave message start the Leave timer. The attribute will
be deregistered only if these entities receive no Join message mapped to the attribute during the timeout period.
Each GARP application entity starts its own LeaveAll timer upon startup. When the timer times out, the entity sends a
LeaveAll message to enable other entities to reregister attributes. Then the LeaveAll timer is restarted to initiate a new cycle.
GVRP allows a switch to inform other interconnected devices of its VLANs and instruct the peer device to create specific
VLANs and add the ports that transmit GVRP packets to corresponding VLANs.
10-4
Configuration Guide Configuring GVRP
Normal mode: A device externally advertises its VLAN information, including dynamic and static VLANs.
Non-applicant mode: A device does not externally advertise its VLAN information.
A GVRP registration mode specifies whether the switch that receives a GVRP packet processes the VLAN information in the
packet, such as dynamically creating a new VLAN and adding the port that receives the packet to the VLAN.
Normal mode: Process the VLAN information in the received GVRP packet.
Disabled mode: No to process the VLAN information in the received GVRP packet.
Overview
Feature Description
Intra-Topology VLAN Dynamically creates VLANs and adds/removes ports to/from VLANs, which reduces the manual
Information configuration workload and the probability of VLAN disconnection due to missing configuration.
Synchronization
GVRP is an application of GARP based on the GARP working mechanism. GVRP maintains the dynamic registration
information of VLANs on a device and propagates the information to other devices. A GVRP-enabled device receives VLAN
registration information from other devices and dynamically updates the local VLAN registration information. The device also
propagates the local VLAN registration information to other devices so that all devices in a LAN maintain consistent VLAN
information. The VLAN registration information propagated by GVRP includes the manually-configured static registration
information on the local device and the dynamic registration information from other devices.
The Trunk port on a GVRP-enabled device periodically collects VLAN information within the port, including the VLANs that
the Trunk port joins or exits. The collected VLAN information is encapsulated in a GVRP packet to be sent to the peer device.
After the Trunk port on the peer device receives the packet, it resolves the VLAN information. Then corresponding VLANs will
be dynamically created, and the Trunk port will join the created VLANs or exit other VLANs. For details about the VLAN
information, see the above description of GVRP message types.
Upon receiving a GVRP packet, the switch determines whether to process the VLAN information in the packet according to
the registration mode of the corresponding port. For details, see the above description of GVRP registration modes.
10-5
Configuration Guide Configuring GVRP
10.4 Configuration
(Optional) It is used to configure timers and the registration mode and advertising mode of a
port.
10-6
Configuration Guide Configuring GVRP
Notes
GVRP must be enabled on both connected devices. GVRP information is transmitted only by Trunk Links. The
transmitted information contains the information of all VLANs on the current device, including dynamically learned
VLANs and manually configured VLANs.
If STP is enabled, only ports in Forwarding state participate in GVRP (such as receiving and sending GVRP PDUs) and
have their VLAN information propagated by GVRP.
The system does not save the VLAN information that is dynamically learned by GVRP. The information will be lost when
the device is reset and cannot be saved manually.
All devices that need to exchange GVRP information must maintain consistent GVRP timers (Join timer, Leave timer,
and Leaveall timer).
If STP is not enabled, all available ports can participate in GVRP. If Single Spanning Tree (SST) is enabled, only ports
in Forwarding state in the SST Context participate in GVRP. If Multi Spanning Tree (MST) is enabled, GVRP can run in
the Spanning Tree Context to which VLAN1 belongs. You cannot specify other Spanning Tree Context for GVRP.
Configuration Steps
Enabling GVRP
Mandatory.
After GVRP is enabled on a device, the device sends GVRP packets carrying VLAN information. If GVRP is disabled on
the device, the device does not send GVRP packets carrying VLAN information or process received GVRP packets.
10-7
Configuration Guide Configuring GVRP
Mandatory.
After dynamic VLAN creation is enabled on a device, the device will dynamically create VLANs upon receiving GVRP
Join messages.
The parameters of a dynamic VLAN created through GVRP cannot be modified manually.
Configuring Timers
Optional.
There are three GVRP timers: Join timer, Leave timer, and Leaveall timer, which are used to control message sending
intervals.
The timer interval relationships are as follows: The interval of the Leave timer must be three times or more greater than
that of the Join timer; the interval of the Leaveall timer must be greater than that of the Leave timer.
The three timers are controlled by the GVRP state machine and can be triggered by each other.
10-8
Configuration Guide Configuring GVRP
Ensure that the GVRP timer settings on all interconnected GVRP devices are consistent; otherwise,
GVRP may work abnormally.
Optional.
Two GVRP advertising modes are available: Normal (default) and Non-applicant.
Normal mode: Indicates that a device externally advertises its VLAN information.
Non-applicant mode: Indicates that a device does not externally advertise its VLAN information.
Optional.
To enable dynamic VLAN registration on a port, run the gvrp registration mode normal command. To disable
dynamic VLAN registration on a port, run the gvrp register mode disable command.
If dynamic VLAN registration is enabled, dynamic VLANs will be created on the local device when the port receives a
GVRP packet carrying VLAN information from the peer end. If dynamic VLAN registration is disabled, no dynamic
VLAN will be created on the local device when the port receives a GVRP packet from the peer end.
The two registration modes do not affect the static VLANs on the port. The registration mode for manually-created static
VLANs is always Fixed Registrar.
10-9
Configuration Guide Configuring GVRP
Mandatory.
Verification
Check whether a dynamic VLAN is configured and the corresponding port joins the VLAN.
Configuration Example
Enabling GVRP in a Topology and Dynamically Maintaining VLANs and the VLAN-Port Relationship
Scenario
Figure 10-4
Configuration On Switch A and Switch C, configure VLANs used for communication in the customer network.
Steps Enable the GVRP and dynamic VLAN creation features on Switch A, Switch B, and Switch C.
Configure the ports connected between switches as Trunk ports, and ensure that the VLAN lists of
Trunk ports include the communication VLANs. By default, a Trunk port allows the traffic from all
VLANs to pass through.
It is recommended that STP be enabled to avoid loops.
A 1. Create VLAN 1–200 used for communication in the customer network.
A# configure terminal
3. Configure the port connected to Switch B as a Trunk port. By default, a Trunk port allows the traffic from
all VLANs to pass through.
4. Configure the advertising mode and registration mode of the Trunk port. The Normal mode is used by
default and does not need to be configured manually.
10-10
Configuration Guide Configuring GVRP
B# configure terminal
Verification Check whether the GVRP configuration on each device is correct. Check whether VLAN 2–100 are
dynamically created on Switch B and whether Port G 0/2 and Port G 0/3 on Switch B join the dynamic
VLANs.
A
A# show gvrp configuration
GVRP Feature:enabled
Join Timers(ms):200
Leave Timers(ms):600
Leaveall Timers(ms):1000
B
B# show gvrp configuration
GVRP Feature:enabled
Join Timers(ms):200
Leave Timers(ms):600
Leaveall Timers(ms):1000
10-11
Configuration Guide Configuring GVRP
C
C# show gvrp configuration
GVRP Feature:enabled
Join Timers(ms):200
Leave Timers(ms):600
Leaveall Timers(ms):1000
Common Errors
The VLAN lists of the ports connected between devices do not include the VLANs used for communication in the
customer network.
The GVRP advertising modes and registration modes of Trunk ports are not set to Normal.
Enable devices to transparently transmit GVRP PDU frames to realize normal inter-device GVRP calculation when GVRP is
not enabled.
Notes
GVRP PDUs transparent transmission takes effect only when GVRP is disabled. After GVRP is enabled, devices will not
transparently transmit GVRP PDU frames.
Configuration Steps
Optional.
10-12
Configuration Guide Configuring GVRP
Perform this configuration when you need to enable devices to transparently transmit GVRP PDU frames when GVRP
is disabled.
Command
bridge-frame forwarding protocol gvrp
Parameter De N/A
scription
Defaults By default, GVRP PDUs transparent transmission is disabled.
Command Global configuration mode
Mode
Usage Guide In the IEEE 802.1Q standard, the destination MAC address 01-80-C2-00-00-06 for GVRP PDUs is
reserved. Devices compliant with IEEE 802.1Q do not forward received GVRP PDU frames. However, in
actual network deployment, devices may need to transparently transmit GVRP PDU frames to realize
normal inter-device GVRP calculation when GVRP is not enabled.
GVRP PDUs transparent transmission takes effect only when GVRP is disabled. After GVRP is enabled,
devices will not transparently transmit GVRP PDU frames.
Verification
Run the show run command to check whether GVRP PDUs transparent transmission is enabled.
Configuration Example
Scenario
Figure 10-5
Enable GVRP on DEV A and DEV C. (DEV B is not enabled with GVRP.)
Configure GVRP PDUs transparent transmission on DEV B to realize normal GVRP calculation
Configuration
between DEV A and DEV C.
Steps
Run the show run command to check whether GVRP PDUs transparent transmission is enabled.
Verification
Building configuration...
10-13
Configuration Guide Configuring GVRP
Transparently transmit GVRP packets between customer networks through tunnels in SP networks without impact on the SP
networks, and thereby separate the GVRP calculation in customer networks from that in SP networks.
Notes
The GVRP PDUs Tunnel feature takes effect after it is enabled in global configuration mode and interface configuration
mode.
Configuration Steps
(Optional) Perform this configuration when you need to separate GVRP calculation between customer networks and SP
networks in a QinQ environment.
Run the l2protocol-tunnel gvrp command in global configuration mode to enable the GVRP PDUs Tunnel feature.
Run the l2protocol-tunnel gvrp enable command in interface configuration mode to enable the GVRP PDUs Tunnel
feature.
Run the l2protocol-tunnel gvrp tunnel-dmac mac-address command to configure the transparent transmission
address used by the GVRP PDUs Tunnel feature.
10-14
Configuration Guide Configuring GVRP
configuration mode.
When no transparent transmission address is configured, the default address 01d0.f800.0006 is used.
Verification
Run the show l2protocol-tunnel gvrp command to check the GVRP PDUs Tunnel configuration.
Configuration Example
Scenario
Figure 10-6
Configuration Enable basic QinQ on the PEs (Provider S1 and Provider S2) in the SP network to transmit data
Steps packets from the customer network through VLAN 200 in the SP network.
10-15
Configuration Guide Configuring GVRP
Enable GVRP transparent transmission on the PEs (Provider S1 and Provider S2) in the SP network to
allow the SP network to tunnel GVRP packets from the customer network via the GVRP PDUs Tunnel
feature.
Provider S1
Step 1: Create VLAN 200 of the SP network.
Ruijie#configure terminal
Ruijie(config)#vlan 200
Ruijie(config-vlan)#exit
Step 2: Enable basic QinQ on the port connected to the customer network to tunnel data from the customer
network through VLAN 200.
Step 3: Enable GVRP transparent transmission on the port connected to the customer network.
Ruijie(config-if-GigabitEthernet 0/1)#exit
Ruijie(config)#l2protocol-tunnel gvrp
Provider S2
The configuration on Provider S2 is similar to that on Provider S1.
10-16
Configuration Guide Configuring GVRP
Ruijie#show running-config
Provider S2
The verification on Provider S2 is the same as that on Provider S1.
Common Errors
In an SP network, transparent transmission addresses are not configured consistently, which affects the transmission of
GVRP PDU frames.
10.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Displaying
Description Command
10-17
Configuration Guide Configuring GVRP
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
10-18
Configuration Guide Configuring LLDP
11 Configuring LLDP
11.1 Overview
The Link Layer Discovery Protocol (LLDP), defined in the IEEE 802.1AB standard, is used to discover the topology and
identify topological changes. LLDP encapsulates local information of a device into LLDP data units (LLDPDUs) in the
type/length/value (TLV) format and then sends the LLDPDUs to neighbors. It also stores LLDPDUs from neighbors in the
management information base (MIB) to be accessed by the network management system (NMS).
With LLDP, the NMS can learn about topology, for example, which ports of a device are connected to other devices
and whether the rates and duplex modes at both ends of a link are consistent. Administrators can quickly locate and rectify a
fault based on the information.
A Ruijie LLDP-compliant device is capable of discovering neighbors when the peer is either of the following:
Endpoint device that complies with the Link Layer Discovery Protocol-Media Endpoint Discovery (LLDP-MED)
IEEE 802.1AB 2005: Station and Media Access Control Connectivity Discovery
11.2 Applications
Application Description
Displaying Topology Multiple switches, a MED device, and an NMS are deployed in the network topology.
Conducting Error Detection Two switches are directly connected and incorrect configuration will be displayed.
Multiple switches, a MED device, and an NMS are deployed in the network topology.
As shown in the following figure, the LLDP function is enabled by default and no additional configuration is required.
Switch A discovers its neighbor MED device, that is, IP-Phone, through port GigabitEthernet 0/1.
Figure 11-1
11-1
Configuration Guide Configuring LLDP
Remarks Ruijie Switch A, Switch B, and IP-Phone support LLDP and LLDP-MED.
LLDP on switch ports works in TxRx mode.
The LLDP transmission interval is 30 seconds and transmission delay is 2 seconds by default.
Deployment
Run the Simple Network Management Protocol (SNMP) on the switch so that the NMS acquires and sets
LLDP-relevant information on the switch.
Two switches are directly connected and incorrect configuration will be displayed.
As shown in the following figure, the LLDP function and LLDP error detection function are enabled by default, and no
additional configuration is required.
After you configure a virtual local area network (VLAN), port rate and duplex mode, link aggregation, and maximum
transmission unit (MTU) of a port on Switch A, an error will be prompted if the configuration does not match that on
Switch B, and vice versa.
Figure 11-2
Deployment
Run LLDP on a switch to implement neighbor discovery and detect link fault.
11-2
Configuration Guide Configuring LLDP
11.3 Features
Basic Concepts
LLDPDU
LLDPDU is a protocol data unit encapsulated into an LLDP packet. Each LLDPDU is a sequence of TLV structures. The TLV
collection consists of three mandatory TLVs, a series of optional TLVs, and one End Of TLV. The following figure shows the
format of an LLDPDU.
In an LLDPDU, Chassis ID TLV, Port ID TLV, Time To Live TLV, and End Of LLDPDU TLV are mandatory and TLVs of
other TLVs are optional.
LLDP packets can be encapsulated in two formats: Ethernet II and Subnetwork Access Protocols (SNAP).
The following figure shows the format of LLDP packets encapsulated in the Ethernet II format.
Destination Address: Indicates the destination MAC address, which is the LLDP multicast address 01-80-C2-00-00-0E.
Source Address: Indicates the source MAC address, which is the port MAC address.
Figure 11-5 shows the format of LLDP packets encapsulated in the SNAP format.
Destination Address: Indicates the destination MAC address, which is the LLDP multicast address 01-80-C2-00-00-0E.
11-3
Configuration Guide Configuring LLDP
Source Address: Indicates the source MAC address, which is the port MAC address.
SNAP-encoded Ethertype: Indicates the Ethernet type of the SNMP encapsulation, which is
AA-AA-03-00-00-00-88-CC.
TLV
Basic management TLVs are a collection of basic TLVs used for network management. Organizationally specific TLVs are
defined by standard organizations and other institutions, for example, the IEEE 802.1 organization and IEEE 802.3
organization define their own TLV collections.
The basic management TLV collection consists of two types of TLVs: mandatory TLVs and optional TLVs. A mandatory TLV
must be contained in an LLDPDU for advertisement and an optional TLV is contained selectively.
Different organizations, such as the IEEE 802.1, IEEE 802.3, IETF and device suppliers, define specific TLVs to advertise
specific information about devices. The organizationally unique identifier (OUI) field in a TLV is used to distinguish different
organizations.
11-4
Configuration Guide Configuring LLDP
Organizationally specific TLVs are optional and are advertised in an LLDPDU selectively. Currently, there are three
types of common organizationally specific TLVs: IEEE 802.1 organizationally specific TLVs, IEEE 802.3
organizationally specific TLVs, and LLDP-MED TLVs.
Ruijie LLDP-compliant switches do not send the Protocol Identity TLV but receive this TLV.
Ruijie LLDP-compliant devices support advertisement of IEEE 802.3 organizationally specific TLVs.
LLDP-MED TLV
LLDP-MED is an extension to LLDP based on IEEE 802.1AB LLDP. It enables users to conveniently deploy the Voice Over
IP (VoIP) network and detect faults. It provides applications including the network configuration policies, device discovery,
PoE management, and inventory management, meeting requirements for low cost, effective management, and easy
deployment.
11-5
Configuration Guide Configuring LLDP
Overview
Feature Description
LLDP Work Mode Configures the mode of transmitting and receiving LLDP packets.
LLDP Transmission Enables directly connected LLDP-compliant devices to send LLDP packets to the peer.
Mechanism
LLDP Reception Enables directly connected LLDP-compliant devices to receive LLDP packets from the peer.
Mechanism
Working Principle
When the LLDP work mode is changed, the port initializes the protocol state machine. You can set a port initialization delay
to prevent repeated initialization of a port due to frequent changes of the LLDP work mode.
Related Configuration
You can run the lldp mode command to configure the LLDP work mode.
If the work mode is set to TxRx, the device can both transmit and receive LLDP packets. If the work mode is set to Rx Only,
the device can only receive LLDP packets. If the work mode is set to Tx Only, the device can only transmit LLDP packets. If
the work mode is disabled, the device cannot transmit or receive LLDP packets.
11-6
Configuration Guide Configuring LLDP
Working Principle
LLDP periodically transmits LLDP packets when working in TxRx or Tx Only mode. When information about the local device
changes, LLDP immediately transmits LLDP packets. You can configure a delay time to avoid frequent transmission of LLDP
packets caused by frequent changes of local information.
LLDP provides two types of packets:
Standard LLDP packet, which contains management and configuration information about the local device.
Shutdown packet: When the LLDP work mode is disabled or the port is shut down, LLDP Shutdown packets will be
transmitted. A Shutdown packet consists of the Chassis ID TLV, Port ID TLV, Time To Live TLV, and End OF LLDP TLV.
TTL in the Time to Live TLV is 0. When a device receives an LLDP Shutdown packet, it considers that the neighbor
information is invalid and immediately deletes it.
When the LLDP work mode is changed from disabled or Rx to TxRx or Tx, or when LLDP discovers a new neighbor (that is, a
device receives a new LLDP packet and the neighbor information is not stored locally), the fast transmission mechanism is
started so that the neighbor quickly learns the device information. The fast transmission mechanism enables a device to
transmit multiple LLDP packets at an interval of 1 second.
Related Configuration
Run the lldp mode txrx or lldp mode tx command to enable the LLDP packet transmission function. Run the lldp mode rx
or no lldp mode command to disable the LLDP packet transmission function.
In order to enable LLDP packet reception, set the work mode to TxRx or Rx Only. If the work mode is set to Rx Only, the
device can only receive LLDP packets.
Run the lldp timer tx-delay command to change the LLDP transmission delay.
If the delay is set to a very small value, the frequent change of local information will cause frequent transmission of LLDP
packets. If the delay is set to a very large value, no LLDP packet may be transmitted even if local information is changed.
Run the lldp timer tx-interval command to change the LLDP transmission interval.
11-7
Configuration Guide Configuring LLDP
If the interval is set to a very small value, LLDP packets may be transmitted frequently. If the interval is set to a very large
value, the peer may not discover the local device in time.
By default, an interface is allowed to advertise TLVs of all types except Location Identification TLV.
Run the lldp fast-count command to change the number of LLDP packets that are fast transmitted.
Working Principle
A device can receive LLDP packets when working in TxRx or Rx Only mode. After receiving an LLDP packet, a device
conducts validity check. After the packet passes the check, the device checks whether the packet contains information about
a new neighbor or about an existing neighbor and stores the neighbor information locally. The device sets the TTL of
neighbor information according to the value of TTL TLV in the packet. If the value of TTL TLV is 0, the neighbor information is
aged immediately.
Related Configuration
Run the lldp mode txrx or lldp mode rx command to enable the LLDP packet reception function. Run the lldp mode tx or
no lldp mode command to disable the LLDP packet reception function.
In order to enable LLDP packet reception, set the work mode to TxRx or Rx Only. If the work mode is set to Tx Only, the
device can only transmit LLDP packets.
11.4 Configuration
11-8
Configuration Guide Configuring LLDP
(Optional) It is used to configure the number of LLDP packets that are fast transmitted.
Configuring the LLDP Fast
lldp fast-count value Configures the LLDP fast transmission count.
Transmission Count
Restores the default LLDP fast transmission
no lldp fast-count
count.
(Optional) It is used to configure the delay time for LLDP packet transmission.
Configuring the
Transmission Delay lldp timer tx-delay seconds Configures the transmission delay.
no lldp timer tx-delay Restores the default transmission delay.
(Optional) It is used to configure the delay time for LLDP to initialize on any interface.
Configuring the
Initialization Delay lldp timer reinit-delay seconds Configures the initialization delay.
no lldp timer reinit-delay Restores the default initialization delay.
Configuring the LLDP Trap lldp notification remote-change enable Enables the LLDP Trap function.
Function no lldp notification remote-change enable Disables the LLDP Trap function.
Configures the LLDP Trap transmission
lldp timer notification-interval
interval.
11-9
Configuration Guide Configuring LLDP
11-10
Configuration Guide Configuring LLDP
Notes
To make the LLDP function take effect on an interface, you need to enable the LLDP function globally and on the
interface.
Configuration Steps
Optional.
Verification
Related Commands
11-11
Configuration Guide Configuring LLDP
Configuration Example
Common Errors
If the LLDP function is enabled on an interface but disabled in global configuration mode, the LLDP function does not
take effect on the interface.
If a neighbor does not support LLDP but it is connected to an LLDP-supported device, a port may learn information
about the device that is not directly connected to the port because the neighbor may forward LLDP packets.
If you set the LLDP work mode to TxRx, the interface can transmit and receive packets.
If you set the LLDP work mode to Tx, the interface can only transmit packets but cannot receive packets.
If you set the LLDP work mode to Rx, the interface can only receive packets but cannot transmit packets.
If you disable the LLDP work mode, the interface can neither receive nor transmit packets.
Notes
LLDP runs on physical ports (AP member ports for AP ports). Stacked ports and VSL ports do not support LLDP.
Configuration Steps
Optional.
Verification
11-12
Configuration Guide Configuring LLDP
Related Commands
Configuration Example
Port state : UP
Notification enable : NO
11-13
Configuration Guide Configuring LLDP
Number of neighbors : 0
Configure the type of TLVs to be advertised to specify the LLDPDUs in LLDP packets.
Notes
If you configure the all parameter for the basic management TLVs, IEEE 802.1 organizationally specific TLVs, and
IEEE 802.3 organizationally specific TLVs, all optional TLVs of these types are advertised.
If you configure the all parameter for the LLDP-MED TLVs, all LLDP-MED TLVs except Location Identification TLV are
advertised.
If you want to configure the LLDP-MED Capability TLV, configure the LLDP 802.3 MAC/PHY TLV first; If you want to
cancel the LLDP 802.3 MAC/PHY TLV, cancel the LLDP-MED Capability TLV first.
If you want to configure LLDP-MED TLVs, configure the LLDP-MED Capability TLV before configuring other types of
LLDP-MED TLVs. If you want to cancel LLDP-MED TLVs, cancel the LLDP-MED Capability TLV before canceling other
types of LLDP-MED TLVs If a device is connected to an IP-Phone that supports LLDP-MED, you can configure the
Network Policy TLV to push policy configuration to the IP-Phone.
If a device supports the DCBX function by default, ports of the device are not allowed to advertise IEEE 802.3
organizationally specific TLVs and LLDP-MED TLVs by default.
Configuration Steps
Optional.
Verification
Related Commands
11-14
Configuration Guide Configuring LLDP
power-over-ethernet } }
Parameter De basic-tlv: Indicates the basic management TLV.
scription port-description: Indicates the Port Description TLV.
system-capability: Indicates the System Capabilities TLV.
system-description: Indicates the System Description TLV.
system-name: Indicates the System Name TLV.
dot1-tlv: Indicates the IEEE 802.1 organizationally specific TLVs.
port-vlan-id: Indicates the Port VLAN ID TLV.
protocol-vlan-id: Indicates the Port And Protocol VLAN ID TLV.
vlan-id: Indicates the Port Protocol VLAN ID, ranging from 1 to 4,094.
vlan-name: Indicates the VLAN Name TLV.
vlan-id: Indicates the VLAN name, ranging from 1 to 4,094.
dot3-tlv: Indicates the IEEE 802.3 organizationally specific TLVs.
link-aggregation: Indicates the Link Aggregation TLV.
mac-physic: Indicates the MAC/PHY Configuration/Status TLV.
max-frame-size: Indicates the Maximum Frame Size TLV.
power: Indicates the Power Via MDI TLV.
med-tlv: Indicates the LLDP MED TLV.
capability: Indicates the LLDP-MED Capabilities TLV.
Inventory: Indicates the inventory management TLV, which contains the hardware version, firmware
version, software version, SN, manufacturer name, module name, and asset identifier.
location: Indicates the Location Identification TLV.
civic-location: Indicates the civic address information and postal information.
elin: Indicates the emergency telephone number.
id: Indicates the policy ID, ranging from 1 to 1,024.
network-policy: Indicates the Network Policy TLV.
profile-num: Indicates the Network Policy ID, ranging from 1 to 1,024.
power-over-ethernet: Indicates the Extended Power-via-MDI TLV.
Command Interface configuration mode
Mode
Usage Guide N/A
Canceling TLVs
11-15
Configuration Guide Configuring LLDP
Configuration Example
Configuration Cancel the advertisement of the IEEE 802.1 organizationally specific Port And Protocol VLAN ID TLV.
Steps
11-16
Configuration Guide Configuring LLDP
Configure the management address to be advertised in LLDP packets in interface configuration mode.
After the management address to be advertised is cancelled, the management address in LLDP packets is subject to
the default settings.
Notes
LLDP runs on physical ports (AP member ports for AP ports). Stacked ports and VSL ports do not support LLDP.
11-17
Configuration Guide Configuring LLDP
Configuration Steps
Optional.
Configure the management address to be advertised in LLDP packets in interface configuration mode.
Verification
Related Commands
Configuration Example
11-18
Configuration Guide Configuring LLDP
Steps
Interface number : 1
Object identifier :
Port VLAN ID : 1
PPVID Enabled : NO
Protocol Identity :
PMD auto-negotiation advertised : 1000BASE-T full duplex mode, 100BASE-TX full duplex mode,
100BASE-TX half duplex mode, 10BASE-T full duplex mode, 10BASE-T half duplex mode
PoE support : NO
11-19
Configuration Guide Configuring LLDP
Aggregation port ID : 0
Configuration Steps
Optional.
Configure the number of LLDP packets that are fast transmitted in global configuration mode.
Verification
Related Commands
11-20
Configuration Guide Configuring LLDP
Parameter De N/A
scription
Command Global configuration mode
Mode
Usage Guide N/A
Configuration Example
Configuration Set the LLDP fast transmission count to 5 in global configuration mode.
Steps
Ruijie(config)#lldp fast-count 5
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 2s
Notification interval : 5s
Configuration Steps
Optional.
Verification
11-21
Configuration Guide Configuring LLDP
Related Commands
Configuration Example
11-22
Configuration Guide Configuring LLDP
Configuration Set the TTL multiplier to 3 and the transmission interval to 20 seconds. The TTL of local device information
Steps on neighbors is 61 seconds.
Ruijie(config)#lldp hold-multiplier 3
Ruijie(config)#lldp hold-multiplier 3
Hold multiplier : 3
Reinit delay : 2s
Transmit delay : 2s
Notification interval : 5s
Configuration Steps
Optional.
Verification
Related Commands
11-23
Configuration Guide Configuring LLDP
scription
Command Global configuration mode
Mode
Usage Guide When local information of a device changes, the device immediately transmits LLDP packets to its
neighbors. Configure the transmission delay to prevent frequent transmission of LLDP packets caused by
frequent changes of local information.
Configuration Example
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 3s
Notification interval : 5s
11-24
Configuration Guide Configuring LLDP
Configuration Steps
Optional.
Verification
Related Commands
Configuration Example
11-25
Configuration Guide Configuring LLDP
Hold multiplier : 4
Reinit delay : 3s
Transmit delay : 2s
Notification interval : 5s
Configuration Steps
Optional.
Optional.
Verification
Related Commands
11-26
Configuration Guide Configuring LLDP
and communication link fault) to the NMS server so that administrators learn about the network performance
Configuration Example
Enabling the LLDP Trap Function and Configuring the LLDP Trap Transmission Interval
Configuration Enable the LLDP Trap function and set the LLDP Trap transmission interval to 10 seconds.
Steps
11-27
Configuration Guide Configuring LLDP
Hold multiplier : 4
Reinit delay : 2s
Transmit delay : 2s
------------------------------------------------------------
------------------------------------------------------------
Port state : UP
Number of neighbors : 0
Enable the LLDP error detection function. When LLDP detects an error, the error is logged.
Configure the LLDP error detection function to detect VLAN configuration at both ends of a link, port status, aggregate
port configuration, MTU configuration, and loops.
Notes
N/A
Configuration Steps
Optional.
Enable or disable the LLDP error detection function in interface configuration mode.
11-28
Configuration Guide Configuring LLDP
Verification
Related Commands
Configuration Example
Configuration Enable the LLDP error detection function on interface GigabitEthernet 0/1.
Steps
11-29
Configuration Guide Configuring LLDP
Port state : UP
Notification enable : NO
Number of neighbors : 0
Configuration Steps
Optional.
Verification
Related Commands
11-30
Configuration Guide Configuring LLDP
Usage Guide
The LLDP encapsulation format configuration on a device and its neighbors must be consistent.
Configuration Example
Port state : UP
Notification enable : NO
Number of neighbors : 0
If a device is connected to an IP-Phone that supports LLDP-MED, you can configure the Network Policy TLV to push
policy configuration to the IP-Phone, , which enables the IP-Phone to change the tag and QoS of voice streams. In
addition to the LLDP Network Policy, perform the following steps on the device: 1. Enable the Voice VLAN function and
add the port connected to the IP-Phone to the Voice VLAN. 2. Configure the port connected to the IP-Phone as a QoS
trusted port (the trusted DSCP mode is recommended). 3. If 802.1X authentication is also enabled on the port,
configure a secure channel for the packets from the Voice VLAN. If the IP-Phone does not support LLDP-MED, enable
the voice VLAN function and add the MAC address of the IP-Phone to the Voice VLAN OUI list manually.
For the configuration of the QoS trust mode, see Configuring IP QoS; for the configuration of the Voice VLAN, see
Configuring Voice VLAN; for the configuration of the secure channel, see Configuring ACL.
11-31
Configuration Guide Configuring LLDP
Configuration Steps
Optional.
Verification
Related Commands
Configuration Example
Configuration Set the Network Policy TLV to 1 for LLDP packets to be advertised by port GigabitEthernet 0/1 and set the
Steps VLAN ID of the Voice application to 3, COS to 4, and DSCP to 6.
Ruijie#config
11-32
Configuration Guide Configuring LLDP
Ruijie(config-lldp-network-policy)#exit
Verification Display the LLDP network policy configuration on the local device.
network-policy information:
--------------------------
Configuration Steps
Optional.
Verification
Related Commands
Command Configure the LLDP civic address. Use the no option to delete the address.
{ country | state | county | city | division | neighborhood | street-group | leading-street-dir |
trailing-street-suffix | street-suffix | number | street-number-suffix | landmark |
additional-location-information | name | postal-code | building | unit | floor | room | type-of-place |
postal-community-name | post-office-box | additional-code } ca-word
Parameter De country: Indicates the country code, with two characters. CH indicates China.
scription state: Indicates the CA type is 1.
county: Indicates that the CA type is 2.
city: Indicates that the CA type is 3.
division: Indicates that the CA type is 4.
neighborhood: Indicates that the CA type is 5.
11-33
Configuration Guide Configuring LLDP
11-34
Configuration Guide Configuring LLDP
Mode
Usage Guide After entering the LLDP Civic Address configuration mode, configure the device type.
Command no device-type
Parameter De N/A
scription
Command LLDP Civic Address configuration mode
Mode
Usage Guide After entering the LLDP Civic Address configuration mode, restore the default settings.
Configuration Example
Configuration Set the address of port GigabitEthernet 0/1 as follows: set country to CH, city to Fuzhou, and postal code to
Steps 350000.
Ruijie#config
Ruijie(config-lldp-civic)# country CH
--------------------------
Identifier :1
country :CH
device type :1
city :Fuzhou
postal-code :350000
Configuration Steps
11-35
Configuration Guide Configuring LLDP
Optional.
Verification
Related Commands
Configuration Example
Configuration Set the emergency telephone number of port GigabitEthernet 0/1 to 085285555556.
Steps
Ruijie#config
-------------------------
Identifier :1
11-36
Configuration Guide Configuring LLDP
Configuration Steps
Optional.
Verification
Related Commands
Configuration Example
11-37
Configuration Guide Configuring LLDP
11.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears LLDP statistics. clear lldp statistics [ interface interface-name ]
Clears LLDP neighbor information. clear lldp table [ interface interface-name ]
Displaying
Description Command
Displays LLDP information on the show lldp local-information [ global | interface interface-name ]
local device, which will be organized
as TLVs and sent to neighbors.
Displays the LLDP civic address or show lldp location { civic-location | elin-location } { identifier id | interface
emergency telephone number of a interface-name | static }
local device.
Displays LLDP information on a show lldp neighbors [ interface interface-name ] [ detail ]
neighbor.
Displays the LLDP network policy show lldp network-policy { profile [ profile-num ] | interface interface-name }
configuration of the local device.
Displays LLDP statistics. show lldp statistics [ global | interface interface-name ]
Displays LLDP status information. show lldp status [ interface interface-name ]
Displays the configuration of TLVs to show lldp tlv-config [interface interface-name ]
be advertised by a port.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs LLDP error processing. debug lldp error
Debugs LLDP event processing. debug lldp event
Debugs LLDP hot backup processing. debug lldp ha
Debugs the LLDP packet reception. debug lldp packet
Debugs the LLDP state machine. debug lldp stm
11-38
Configuration Guide Configuring QinQ
12 Configuring QinQ
12.1 Overview
QinQ is used to insert a public virtual local area network (VLAN) tag into a packet with a private VLAN tag to allow the
double-tagged packet to be transmitted over a service provider (SP) network.
Users on a metropolitan area network (MAN) must be separated by VLANs. IEEE 802.1Q supports only 4,094 VLANs, far
from enough. Through the double-tag encapsulation provided by QinQ, a packet is transmitted over the SP network based on
the unique outer VLAN tag assigned by the public network. In this way, private VLANs can be reused, which increases the
number of available VLAN tags and provides a simple Layer-2 virtual private network (VPN) feature.
Figure 12-1 shows the double-tag insertion process. The entrance to an SP network is called a dot1q-tunnel port, or Tunnel
port for short. All frames entering provider edges (PEs) are considered untagged. All tags, whether untagged frames or
frames with customer VLAN tags, are encapsulated with the tags of the SP network. The VLAN ID of the SP network is the ID
of the default VLAN for the Tunnel port.
IEEE 802.1ad
12.2 Applications
Application Description
Implementing Layer-2 VPN Through Data is transmitted from Customer A and Customer B to the peer end without conflict
Port-Based Basic QinQ on the SP network even if the data comes from the same VLAN.
12-1
Configuration Guide Configuring QinQ
Application Description
Implementing Layer-2 VPN and Outer tags are inserted into frames flexibly based on different customer VLANs to
Service Flow Management Through achieve Layer-2 VPN, segregate service flows (e.g., broadband Internet access and
C-TAG-Based Selective QinQ IPTV), and implement various QoS policies. Customer tag (C-TAG)-based QinQ is
more flexible than port-based QinQ.
Implementing Layer-2 VPN and The different service flows, such as broadband Internet access and IPTV, are
Service Flow Management Through segregated based on access control lists (ACLs). Different QoS policies are applied to
ACL-Based Selective QinQ service flows through selective QinQ.
Implementing VLAN Aggregation Different service flows (PC, IPTV, and VoIP) are transmitted through different VLANs.
for Different Services Through VLAN The VLANs are aggregated on a campus network so that only one VLAN is used to
Mapping carry the same service flows, thus saving VLAN resources.
Implementing QinQ-Based Layer-2 Customer Network A and Customer Network B in different areas can perform unified
Transparent Transmission Multiple Spanning Tree Protocol (MSTP) calculation or VLAN deployment across the
SP network without affecting the SP network.
Customer A and Customer B belong to different VLANs on the SP network and achieve communication through
respective SP VLANs.
The VLANs of Customer A and Customer B are transparent to the SP network. The VLANs can be reused without
conflicts.
The Tunnel port encapsulates a native VLAN tag in each packet. Packets are transmitted through the native VLAN over
the SP network without impact on the VLANs of Customer A and Customer B, thus implementing simple Layer-2 VPN.
Figure 12-2
Remark Customer A1 and Customer A2 are the customer edges (CEs) for Customer A network. Customer B1 and
s Customer B2 are the CEs for Customer B network.
12-2
Configuration Guide Configuring QinQ
Provider A and Provider B are the PEs on the SP network. Customer A and Customer B access the SP
network through Provider A and Provider B.
The VLAN of Customer A ranges from 1 to100.
The VLAN of Customer B ranges from 1 to 200.
Deployment
The tag protocol identifiers (TPIDs) used by many switches (including Ruijie switches) are set to 0x8100, but the
switches of some vendors do not use 0x8100. In the latter case, you need to change the TPID value on the Uplink ports
of PEs to the values of the TPIDs used by third-party switches.
Configure priority replication and priority mapping for class of service (CoS) on the Tunnel ports of PEs, and configure
different QoS policies for different service flows (for details, see Configuring QoS).
Broadband Internet access and IPTV are important services carried by MANs. The SPs manage different service flows
through different VLANs and provides QoS policies for the VLANs or CoS. You can enable C-TAG-based QinQ on PEs
to encapsulate outer VLAN tags in the service flows to achieve transparent transmission based on the QoS policies of
the SP network.
Important services and regular services are separated within different VLAN ranges. The customer can transmit service
flows transparently over an SP network through C-TAG-based selective QinQ and ensure preferential transmission of
important service flows by using the QoS policies of the SP network.
In Figure 12-3, the CEs are aggregated by the floor switches inside residential buildings. The broadband Internet access and
IPTV services are segregated by VLANs with different QoS policies.
The service flows of broadband Internet access and IPTV are transmitted transparently by different VLANs over the SP
network.
The SP network provides QoS policies based on VLANs or CoS. On the PEs, you can encapsulate an outer tag in the
service flow based on its inner VLAN tag or set a CoS to ensure preferential transmission of service flows over the SP
network.
The CoS values of service packets can be changed through priority mapping or replication so that the QoS policies of
the SP network are applied flexibly.
Figure 12-3
12-3
Configuration Guide Configuring QinQ
Configure C-TAG-based selective QinQ on the ports (G0/1) of PE 1 and PE 2 connected to CE 1 and CE 2 respectively
to realize the segregation and transparent transmission of service flows.
If the SP network provides QoS policies based on VLANs or CoS, you can encapsulate an outer tag in the service flow
based on its inner tag or set a CoS through priority replication or mapping on PE 1 and PE 2 to ensure preferential
transmission of service flows over the SP network.
12.2.3 Implementing Layer-2 VPN and Service Flow Management Through ACL-Based
Selective QinQ
Scenario
The service flows from the customer network may be classified by MAC address, IP address, or protocol type, instead of by
VLAN. The customer network may contain many low-end access devices unable to segregate service flows by VLAN IDs. In
the preceding two situations, the packets from the customer network cannot be encapsulated with outer tags based on their
inner tags to realize transparent transmission and implement QoS policies. Service flows may be classified by MAC address,
IP address, or protocol type through ACLs. Selective QinQ uses ACLs to segregate service flows and add or modify outer
tags in order to implement Layer-2 VPN and QoS policies based on different service flows.
In Figure 12-4, different VLANs are configured on PE 1 and PE 2 to transmit different service flows classified through ACLs. If
the SP network provides QoS policies based on different services, certain services can be transmitted preferentially.
Outer VLAN tags are encapsulated based on different service flows. The service flows of a customer network can be
transmitted transparently, and its branch offices can access each other.
The SP network provides QoS policies based on the VLAN tags or CoS values to ensure preferential transmission of
certain service flows.
Figure 12-4
12-4
Configuration Guide Configuring QinQ
Configure ACL-based selective QinQ on the ports (G0/1) of PE 1 and PE 2 connected to CE 1 and CE 2 respectively to
realize the segregation and transparent transmission of service flows.
If the SP network provides QoS policies based on VLANs or CoS, you can encapsulate an outer tag in the service flow
based on its inner tag or set a CoS through priority replication or mapping on PE 1 and PE 2 to ensure preferential
transmission of service flows over the SP network.
12.2.4 Implementing VLAN Aggregation for Different Services Through VLAN Mapping
Scenario
The different service flows of different users are segregated on a campus network.
The different service flows are transmitted through different VLANs on the home gateway.
The same service flows from different users are segregated on the floor switch.
The same service flows from different users are sent by a campus switch through one single VLAN.
12-5
Configuration Guide Configuring QinQ
Figure 12-5
On the home gateway devices, configure VLANs for different services to segregate service flows. For example,
configure VLAN 10 for the PC service, VLAN 11 for IPTV, and VLAN 12 for VoIP.
On the ports of the floor switch (Switch D) connected to the home gateway devices, configure VLAN mapping to
segregate the service flows of different users.
On the campus switch, configure VLAN mapping to segregate the service flows.
Through the preceding deployment, the different service flows of different users are segregated.
The Layer-2 packets on customer networks are transparent to SP networks and can be transmitted between the
customer networks without impact on the SP networks.
12-6
Configuration Guide Configuring QinQ
Figure 12-6
Remarks Customer S1 and Customer S2 access the SP network through Provider S1 and Provider S2.
Provider S1 and Provider S2 are enabled with Layer-2 transparent transmission globally, and the Gi 0/1 and Gi
0/10 ports are enabled with Layer-2 transparent transmission.
Deployment
On the ports of the PEs (Provider S1 and Provider S2) connected to Customer S1 and Customer S2 respectively,
configure Layer-2 transparent transmission between Customer Network A1 and Customer Network A2 without impact
on the SP network.
Configure STP transparent transmission based on user requirements to realize transparent transmission of bridge
protocol data unit (BPDU) packets between Customer Network A1 and Customer Network A2 and to perform unified
MSTP calculation across the SP network.
Configure GARP VLAN Registration Protocol (GVRP) transparent transmission based on user requirements to realize
transparent transmission of GVRP packets between Customer Network A1 and Customer Network A2 and dynamic
VLAN configuration on the customer networks across the SP network.
12.3 Features
Basic Concepts
Basic QinQ
Configure basic QinQ on a Tunnel port and configure a native VLAN for the port. Packets entering the port are
encapsulated with outer tags containing the native VLAN ID. Basic QinQ does not segregate service flows and cannot
encapsulate packets flexibly based on VLANs.
Selective QinQ
12-7
Configuration Guide Configuring QinQ
Selective QinQ is classified into two types: selective QinQ based on C-TAGs and selective QinQ based on ACLs.
In C-TAG-based selective QinQ, outer tags are encapsulated in packets based on the inner tags to segregate service flows
and realize transparent transmission.
In ACL-based selective QinQ, outer tags are encapsulated in packets based on the ACLs to segregate service flows.
TPID
An Ethernet frame tag consists of four fields: TPID, User Priority, Canonical Format Indicator (CFI), and VLAN ID.
By default, the TPID is 0x8100 according to IEEE802.1Q. On the switches of some vendors, the TPID is set to 0x9100 or
other values. The TPID configuration aims to ensure that the TPIDs of packets to be forwarded are compatible with the
TPIDs supported by third-party switches.
The default value of User Priority in Ethernet frame tags is 0, indicating regular flows. You can set this field to ensure
preferential transmission of certain packets. You can specify User Priority by setting the value of CoS in a QoS policy.
Priority replication: If the SP network provides a QoS policy corresponding to a specified CoS in the inner tag, you can
replicate the CoS of the inner tag to the outer tag to enable transparent transmission based on the QoS policy provided by
the SP network.
Priority mapping: If the SP network provides various QoS policies corresponding to specified CoS values for different service
flows, you can map the CoS value of the inner tag to the CoS value of the outer tag to ensure preferential transmission of
service flows based on the QoS policies provided by the SP network.
STP and GVRP packets may affect the topology of the SP network. If you want to unify the topology of two customer
networks separated by the SP network without affecting the SP network topology, transmit the STP and GVRP packets from
the customer networks over the SP network transparently.
Overview
Feature Description
Basic QinQ Configures the Tunnel port and specifies whether packets sent from the port are tagged.
Selective QinQ Encapsulates different outer tags in data flows based on ACLs.
VLAN Mapping Replaces the inner tags of packets with outer tags, and then restores the outer tags to inner tags
based on the same rules.
TPID Configuration By default, the TPID is 0x8100 according to IEEE802.1Q. On the switches of some vendors, the
TPIDs of outer tags are set to 0x9100 or other values. The TPID configuration aims to ensure that
the TPIDs of packets to be forwarded are compatible with the TPIDs supported by third-party
switches.
MAC Address In ACL-based selective QinQ, the VLAN IDs for the MAC addresses that switches learn belong to
Replication the native VLAN. If VLAN conversion is implemented based on ACLs, upon receiving packets
from the peer end, the local end may fail to query MAC addresses, causing a flood. To address
this problem, MAC address replication is provided to replicate the MAC addresses of the native
VLAN to the VLAN where the outer tag is located.
12-8
Configuration Guide Configuring QinQ
Feature Description
Layer-2 Transparent Transmits Layer-2 packets between customer networks without impact on SP networks.
Transmission
Priority Replication If the SP network provides a QoS policy corresponding to a specified CoS value in the inner tag,
you can replicate the CoS of the inner tag to the outer tag to enable transparent transmission
based on the QoS policy provided by the SP network.
Priority Mapping If the SP network provides various QoS policies corresponding to specified CoS values for
different service flows, you can map the CoS value of the inner tag to the CoS value of the outer
tag to ensure preferential transmission of service flows based on the QoS policies provided by the
SP network.
Working Principle
After a Tunnel port receives a packet, the switch adds the outer tag containing the default VLAN ID to the packet. If the
received packet already carries a VLAN tag, it is encapsulated as a double-tagged packet. If it does not have a VLAN tag, it is
added with the VLAN tag containing the default VLAN ID.
Modify an outer VLAN tag based on the inner and outer VLAN tags.
12-9
Configuration Guide Configuring QinQ
The inner tag of a packet is replaced by an outer tag to allow the packet to be transmitted based on the public network
topology. When the packet is transmitted to the customer network, the outer tag is restored to the original inner tag based on
the same rule. VLAN mapping supports the following mapping rule:
1:1 VLAN mapping is mainly applied on floor switches to use different VLANs to carry the same services from different users,
as shown in Figure 12-7.
Figure 12-7
Configure the Downlink port with a VLAN mapping policy in the inbound direction to map the inner tag of the uplink flow
to an outer tag.
Configure the Uplink port with a VLAN mapping policy in the outbound direction to map the outer tag of the downlink
flow to the original inner tag.
Figure 12-8
Configure the Downlink port with a VLAN mapping policy in the inbound direction to map the inner tag of the uplink flow
to an outer tag.
For downstream data flows, Configure the Uplink port with a VLAN mapping policy in the inbound direction to the outer
tag of the downlink flow to the original inner tag.
12-10
Configuration Guide Configuring QinQ
Figure 12-9
As in Figure 12-9, the customer network is connected to the Tunnel port of the switch. Configured with native VLAN 4, the
Tunnel port tags the packet whose source MAC address is A with outer VLAN 5. Upon receiving a packet with inner tag
VLAN 3 and source MAC address A, the switch tags the packet with outer VLAN 5. Because the port is configured with native
VLAN 4, MAC address A is learned by VLAN 4. Upon receiving the reply packet, the switch looks for MAC address A on
VLAN 5 because the outer tag of the packet contains VLAN ID 5. However, MAC address A is not learned by VLAN 5,
causing floods.
You can configure the Tunnel port to replicate the MAC address of the native VLAN to the outer VLAN to avoid continuous
flooding of the packets from the SP network. You can also configure the Tunnel port to replicate the MAC address of the
outer VLAN for the outer tag to the native VLAN to avoid continuous flooding of the packets from the customer network.
12-11
Configuration Guide Configuring QinQ
12.4 Configuration
Mandatory.
switchport mode dot1q-tunnel Configures a Tunnel port.
switchport dot1q-tunnel allowed vlan { [ add ]
Adds the VLANs to the Tunnel port in
Configuring QinQ tagged vlist | [ add ] untagged vlist | remove
tagged or untagged mode.
vlist }
Configures the default VLAN for the Tunnel
switchport dot1q-tunnel native vlan VID
port.
12-12
Configuration Guide Configuring QinQ
(Optional) It is used to adjust the outer and inner VLAN tags of the packets transmitted
over SP networks based on network topologies.
Configures the policy to change the VLAN
dot1q relay-vid VID translate local-vid v_list
IDs of outer tags based on the outer tags.
Configures the policy to change the VLAN
dot1q relay-vid VID translate inner-vid v_list
Configuring an Inner/Outer IDs of outer tags based on inner tags.
VLAN Tag Modification Configures the policy to change the VLAN
dot1q new-outer-vlan VID translate
Policy IDs of outer tags based on outer and inner
old-outer-vlan vid inner-vlan v_list
tags.
traffic-redirect access-group acl outer-vlan Configures the policy to change the VLAN
VID in IDs of outer tags based on an ACL.
traffic-redirect access-group acl inner-vlan Configures the policy to change the VLAN
VID out IDs of inner tags based on an ACL.
(Optional) It is used to apply the QoS policy provided by the SP network by priority
replication.
Replicates the value of the User Priority
inner-priority-trust enable field in the inner tag (C-TAG) to the User
Configuring Priority
Priority field of the outer tag (S-TAG).
Mapping and Priority
(Optional) It is used to apply the QoS policy provided by the SP network by priority
Replication
mapping.
Sets the value of the User Priority field in
dot1q-Tunnel cos inner-cos-value remark-cos
the outer tag (S-TAG) based on the User
outer-cos-value
Priority field of the inner tag (C-TAG).
12-13
Configuration Guide Configuring QinQ
(Optional) It is used to transmit MSTP and GVRP packets transparently based on the
customer network topology without affecting the SP network topology.
Enables STP transparent transmission in
l2protocol-tunnel stp
global configuration mode.
Enables STP transparent transmission in
l2protocol-tunnel stp enable
Configuring Layer-2 interface configuration mode.
Transparent Transmission Enables GVRP transparent transmission in
l2protocol-tunnel gvrp
global configuration mode.
Enables GVRP transparent transmission in
l2protocol-tunnel gvrp enable
interface configuration mode.
l2protocol-tunnel{STP|GVRP}tunnel-dmac Configures a transparent transmission
mac-address address.
When the Tunnel port is configured as the source port of the remote switched port analyzer (RSPAN), the
packets whose outer tags contain VLAN IDs consistent with the RSPAN VLAN IDs are monitored.
If you want to match the ACL applied to the Tunnel port with the VLAN IDs of inner tags, use the inner keyword.
Configure the egress port of the customer network connected to the SP network as an Uplink port. If you configure the
TPID of the outer tag on a QinQ-enabled port, set the TPID of the outer tag on the Uplink port to the same value.
By default, the maximum transmission unit (MTU) on a port is 1,500 bytes. After added with an outer VLAN tag, a
packet is four bytes longer. It is recommended to increase the port MTU on the SP networks to at least 1,504 bytes.
After a switch port is enabled with QinQ, you must enable SVGL sharing before enabling IGMP snooping. Otherwise,
IGMP snooping will not work on the QinQ-enabled port.
If a packet matches two or more ACL-based selective QinQ policies without priority, only one policy is executed. It is
recommended to specify the priority.
Notes
It is not recommended to configure the native VLAN of the Trunk port on the PE as its default VLAN, because the Trunk
port strips off the tags containing the native VLAN IDs when sending packets.
Configuration Steps
12-14
Configuration Guide Configuring QinQ
Run the switchport mode dot1q-tunnel command in interface configuration mode to configure the Tunnel port.
Mandatory.
After you configure the native VLAN, add it to the VLAN list of the Tunnel port in untagged mode.
Run the switchport dot1q-tunnel native vlan VID command in interface configuration mode to configure the default
VLAN for the Tunnel port.
If the native VLAN is added to the VLAN list in untagged mode, the outgoing packets on the Tunnel port are not tagged.
If the native VLAN is added to the VLAN list in tagged mode, the outgoing packets on the Tunnel port are tagged with
the native VLAN ID. To ensure the uplink and downlink transmission, add the native VLAN to the VLAN list in untagged
mode.
Mandatory.
After you configure the native VLAN, add it to the VLAN list of the Tunnel port in untagged mode.
If port-based QinQ is enabled, you do not need to add the VLANs of the customer network to the VLAN list of the Tunnel
port.
If selective QinQ is enabled, add the VLANs of the customer network to the VLAN list of the Tunnel port in tagged or
untagged mode based on requirements.
12-15
Configuration Guide Configuring QinQ
Run the switchport dot1q-tunnel allowed vlan { [ add ] tagged vlist | [ add ] untagged vlist | remove vlist } command
in interface configuration mode to add VLANs to the VLAN list of the Tunnel port. Upon receiving packets from
corresponding VLANs, the Tunnel port adds or removes tags based on the settings.
Command switchport dot1q-tunnel allowed vlan { [ add ] tagged vlist | [ add ] untagged vlist | remove vlist }
Parameter De v_list: Indicates the list of the VLANs on the Tunnel port.
scription
Defaults By default, VLAN 1 is added to the VLAN list of the Tunnel port in untagged mode. Other VLANs are not
added.
Command Interface configuration mode
Mode
Usage Guide Use this command to add or remove VLANs on the Tunnel port and specify whether the outgoing packets
are tagged or untagged.
If basic QinQ is enabled, add the native VLAN to the VLAN list of the Tunnel port in untagged mode.
Verification
Check the Tunnel port configuration.
Configuration Example
Scenario
Figure 12-10
Configuration Configure Tunnel ports on the PEs and connect the CEs to the Tunnel ports.
Steps Configure the native VLANs for the Tunnel ports and add the native VLANs to the VLAN lists of the
Tunnel ports respectively in untagged mode.
Configure VLANs on the customer networks based on requirements.
QinQ-enabled switches encapsulate outer tags in packets for transmission over the SP network.
Therefore, you do not need to configure customer VLANs on the PEs.
The TPID is 0x8100 by default according to IEEE802.1Q. On some third-party switches, the TPID is set
to a different value. If such switches are deployed, set the TPIDs on the ports connected to the
12-16
Configuration Guide Configuring QinQ
ProviderA#configure terminal
ProviderA(config)#vlan 10
ProviderA(config-vlan)#exit
ProviderA(config)#vlan 20
ProviderA(config-vlan)#exit
Step 2: Enable basic QinQ on the port connected to the network of Customer A to use VLAN 10 for
tunneling.
Step 3: Enable basic QinQ on the port connected to the network of Customer B to use VLAN 20 for
tunneling.
Step 5: Change the TPID of the outgoing packets on the Uplink port to a value (for example, 0x9100)
recognizable by third-party switches.
12-17
Configuration Guide Configuring QinQ
========Interface Gi0/1========
Native vlan: 10
========Interface Gi0/2========
Native vlan: 20
Ports Tpid
------- -------------
12-18
Configuration Guide Configuring QinQ
Gi0/5 0x9100
The native VLAN is not added to the VLAN list of the Tunnel port in untagged mode.
No TPID is configured on the port connected to the third-party switch on which TPID is not 0x8100. As a result, packets
cannot be recognized by the third-party switch.
Encapsulate outer VLAN tags (S-TAGs) in packets based on inner tags to ensure preferential transmission and
management of Layer-2 VPN and service flows.
Notes
Some selective QinQ policies are not supported on some products due to limitations of chips.
If you need to continue to adopt the VLAN tag priority specified by the customer network, you can configure priority
replication to configure an outer tag the same as the inner tag.
If the SP network requires the transmission of packets based on the priority of the outer tag, you need to configure
priority replication to set the CoS of the outer tag to the specified value.
Configuration Steps
Configuring a Policy to Add the VLAN IDs of Outer Tags Based on Inner Tags
Mandatory.
Upon receiving a packet, the Tunnel port adds the VLAN ID of the outer tag based on the VLAN ID of the inner tag. This
function enables the Tunnel port to add the VLAN ID of the inner tag to the outer tag and adds the port to the VLAN in
untagged mode. In this way, the outgoing packets carry the original inner tags.
The ACL-based QinQ policy prevails over the port-based and C-TAG-based QinQ policy.
When a member port is added to or removed from an aggregate port (AP), the QinQ policy configured on the AP
port will be deleted. You need to configure the policy again. It is recommended that you configure a selective QinQ
policy on the AP port after you configure its member ports.
You must configure the Tunnel port and the port connected to the public network to permit packets with specified VLAN
IDs (including the native VLAN ID) in the outer tag to pass through.
12-19
Configuration Guide Configuring QinQ
Check whether the users within the VLANs can communicate with each other.
Check whether different service traffic is transmitted based on the selective QinQ policy, such as outer tag insertion,
priority replication, and priority mapping.
Configuration Example
Implementing Layer-2 VPN and Service Flow Management Through C-TAG-Based Selective QinQ
Scenario
Figure 12-11
PE1#configure terminal
PE1(config)#vlan 100
PE1(config-vlan)#exit
PE1(config)#vlan 200
12-20
Configuration Guide Configuring QinQ
PE1(config-vlan)#exit
Step 2: On the Downlink port of the access switch, configure a selective QinQ policy to add outer tags based
on inner tags.
Configure port Gi 0/1 as a Tunnel port.
Add VLAN 101 and VLAN 201 of the SP to the VLAN list of the Tunnel port and configure the Tunnel port to
strip off the outer tag from incoming packets.
Configure the Tunnel port to add outer tag VLAN 100 to incoming data frames containing inner tag VLAN 1–
100.
Configure the Tunnel port to add outer tag VLAN 200 to incoming data frames containing inner tag VLAN
101-200.
Step 3: Configure the port that accesses the SP network as an Uplink port.
PE2
Perform the same configuration on PE 2.
Step 2: Check the C-TAG-based selective QinQ policy. Check whether the mapping relationship between
12-21
Configuration Guide Configuring QinQ
PE1#show registration-table
Encapsulate outer VLAN tags (S-TAGs) in packets based on the ACL-based flow classification to allow the SP network
to manage different services.
Notes
Some selective QinQ policies are not supported on some products due to limitations of chips.
If you need to continue to adopt the VLAN tag priority specified by the customer network, you can configure priority
replication to configure an outer tag the same as the inner tag.
If the SP network requires the transmission of packets based on the priority of the outer tag, you need to configure
priority replication to set the CoS of the outer tag to the specified value.
The ACL-based QinQ policy prevails over the port-based and C-TAG-based QinQ policy.
Upon receiving a packet with two or more tags, the Tunnel port cannot add an outer tag to the packet based on the
ACL-based selective QinQ policy.
If a packet matches two or more ACL-based selective QinQ policies without priority, only one policy is executed. It is
recommended to specify the priority.
You must configure the Tunnel port and the port connected to the public network to permit packets with specified VLAN
IDs (including the native VLAN ID) in the outer tag to pass through.
Configuration Steps
Configuring a Policy to Add the VLAN IDs of Outer Tags Based on ACLs
Mandatory.
The Tunnel port adds outer tags with different VLAN IDs to incoming packets based on the packet content.
12-22
Configuration Guide Configuring QinQ
scription
Defaults By default, no policy is added.
Command Interface configuration mode
Mode
Usage Guide N/A
Verification
Check whether the users of the same service in different branch offices can communicate with each other and whether
specified service data is transmitted preferentially through virtual private LAN segment (VPLS) configuration.
Check whether different service traffic is transmitted based on the selective QinQ policy, such as outer tag insertion,
priority replication, and priority mapping.
Configuration Example
Implementing Layer-2 VPN and Service Flow Management Through ACL-Based Selective QinQ
Scenario
Figure 12-12
PE1#configure terminal
12-23
Configuration Guide Configuring QinQ
PE1(config-exp-nacl)#exit
Step 2: Configure VLAN 100 and VLAN 200 on the SP network to segregate data.
PE#configure terminal
PE1(config)#vlan 100
PE1(config-vlan)#exit
PE1(config)#vlan 200
PE1(config-vlan)#exit
Step 3: On the Downlink port of the access switch, configure a selective QinQ policy to add outer VLAN tags
based on ACLs.
Configure port Gi 0/1 as a Tunnel port.
Add VLAN 100 and VLAN 200 of the SP to the VLAN list of the Tunnel port and configure the Tunnel port to
strip off the outer tag from incoming packets.
Configure the Tunnel port to add outer tag VLAN 100 to the incoming data frames which match ACL 1.
Configure the Tunnel port to add outer tag VLAN 200 to the incoming data frames which match ACL 2.
Verification Check whether the users of the same service in different branch offices can communicate with each other
and whether specified service data is transmitted preferentially.
Check whether Layer-2 VPN is implemented.
Check whether the ACL is correct.
Check whether the service priority is correct.
Check whether the Downlink port is configured as a Tunnel port, whether the outer tag VLAN is added
12-24
Configuration Guide Configuring QinQ
to the VLAN list of the Tunnel port, and whether the mapping policy on the Tunnel port is correct.
PE1 Step 1: Check whether the Tunnel port is configured correctly.
Step 2: Check the ACL-based selective QinQ policy. Check whether the mapping relationship between the
inner and outer VLAN tags is correct.
PE1#show traffic-redirect
Common Errors
ACL policies are used to segregate flows based on MAC addresses. Packet floods will occur if MAC address replication
is not configured.
Replace the inner tags of the packets with the outer tags to allow the packets to be transmitted based on the VLAN
planning on the SP network.
Notes
VLAN mapping can be configured only on Access ports, Trunk ports, Hybrid ports, or Uplink ports.
After VLAN mapping is configured, the VLAN IDs of the packets sent to the CPU are changed to the specified VLAN ID.
It is not recommended to configure VLAN mapping and selective QinQ on one port.
Configuration Steps
12-25
Configuration Guide Configuring QinQ
Mandatory if the 1:1 mode is used. Configure a 1:1 VLAN mapping rule.
Run the vlan-mapping-in vlan CVID remark SVID command or the vlan-mapping-out vlan SVID remark CVID
command on a Trunk port or an Uplink port to enable 1:1 VLAN mapping.
Run the show interfaces[ intf-id ] vlan-mapping command to display the VLAN mapping.
Configuration Example
12-26
Configuration Guide Configuring QinQ
Scenario
Figure 12-13
Ruijie#configure terminal
Ruijie(config-vlan-range)#exit
Step 2: Configure the attributes of the ports connected to PC, IPTV, and VoIP. Assume that the connected
ports are Gi 0/2, Gi 0/3, and Gi 0/4 respectively.
Ruijie(config-if-GigabitEthernet 0/2)#exit
Ruijie(config-if-GigabitEthernet 0/3)#exit
Ruijie(config-if-GigabitEthernet 0/4)#exit
12-27
Configuration Guide Configuring QinQ
Ruijie#configure terminal
Ruijie(config-vlan-range)#exit
Ruijie(config-vlan-range)#exit
Ruijie(config-vlan-range)#exit
Step 2: On the Downlink port of Home Gateway 1, configure 1:1 VLAN mapping policies in the inbound and
outbound directions.
Step 3: On the Downlink port of Home Gateway 2, configure 1:1 VLAN mapping policies in the inbound and
outbound directions.
12-28
Configuration Guide Configuring QinQ
Ruijie#configure terminal
Ruijie(config-vlan-range)#exit
Ruijie(config-vlan-range)#exit
Ruijie(config-vlan-range)#exit
Step 2: On the Downlink port, map the VLANs for different services to a VLAN.
(Optional) Step 5: Configure the port connected to the DHCP server as a trusted port.
Verification Display the 1:1 VLAN mapping policies configured on the floor switch.
12-29
Configuration Guide Configuring QinQ
Display the N:1 VLAN mapping policies configured on the campus switch.
Do not set the TPIDs to any of the following values: 0x0806 (ARP), 0x0200 (PUP), 0x8035 (RARP), 0x0800 (IP),
0x86DD (IPv6), 0x8863/0x8864 (PPPoE), 0x8137 (IPX/SPX), 0x8000 (IS-IS), 0x8809 (LACP), 0x888E (802.1X),
0x88A7 (clusters), and 0x0789 (reserved by Ruijie Networks).
Configuration Steps
If a PE connected to a third-party switch on which the TPID is not 0x8100, you need to configure the TPID on the port of
the PE connected to the third-party switch.
TPIDs can be configured in interface configuration mode and global configuration mode. The following example adopts
interface configuration mode.
Configure the frame-tag tpid 0x9100 command in interface configuration mode to change the TPID to 0x9100. For details
about the TPID value, see section 1.4.5.
12-30
Configuration Guide Configuring QinQ
Verification
Configuration Example
Port tpid
------- -------------
Gi0/1 0x9100
Replicate the dynamic address learned on a port from one VLAN to another.
Avoid packet floods when service flows are segregated through MAC-based ACLs.
Notes
After MAC address replication is disabled, the system will delete all the learned MAC address entries from the
destination VLAN.
MAC address replication can be configured on a port only once. If you need to modify the configuration, delete the
current configuration and configure it again.
VLAN MAC address replication cannot be used together with VLAN sharing, and the MAC addresses cannot be
replicated to dynamic VLANs.
12-31
Configuration Guide Configuring QinQ
Up to eight destination VLANs can be configured on each port. MAC address replication takes effect even if the port
does not belong to the specified destination VLAN.
MAC address replication cannot be configured on the Host and Promiscuous ports, monitoring ports, and port
security-/802.1X-enabled ports.
Only dynamic addresses can be replicated. Address replication is disabled when the address table is full. If source
addresses already exist before replication is enabled, corresponding MAC addresses will not be replicated.
Replicated addresses have a higher priority than dynamic addresses but have a lower priority than other types of
addresses.
When a MAC address ages, the replicated MAC address will also age. When the MAC address is deleted, the
replicated address will be deleted automatically.
Hot backup is not supported. After primary/secondary switchover occurs, it is recommended that you disable MAC
address replication and then enable it again.
The MAC address entries obtained through MAC address replication cannot be deleted manually. If you need to delete
these entries, disable MAC address replication.
Configuration Steps
Perform this configuration to replicate MAC addresses from one VLAN to another to avoid packet floods.
Run the mac-address-mapping <1-8> source-vlan src-vlan-list destination-vlan dst-vlan-id command on a Trunk
port to enable MAC address replication. src-vlan-list and dst-vlan-id specify the VLAN range.
Verification
Check whether the MAC address of the specified VLAN is replicated to another VLAN.
Configuration Example
12-32
Configuration Guide Configuring QinQ
----------------------------------------------
Gi0/1 5 1-3
Common Errors
See "Notes".
Notes
The ACL-based QinQ policy prevails over the port-based and C-TAG-based QinQ policy.
Tag modification policies take effect only on Access ports, Trunk ports, Hybrid ports, and Uplink ports.
Tag modification policies are mainly used to modify inner and outer tags on the SP network.
If a packet matches two or more ACL-based selective QinQ policies without priority, only one policy is executed. It is
recommended to specify the priority.
Configuration Steps
Configuring the Policy to Change the VLAN IDs of Outer Tags Based on Inner Tags
Optional.
Perform this configuration to change the VLAN IDs of outer tags based on the VLAN IDs of inner tags.
You can change the VLAN IDs of the outer tags in the packets that enter Access ports, Trunk ports, Hybrid ports, and
Uplink ports based on the VLAN IDs of the inner tags in these packets.
12-33
Configuration Guide Configuring QinQ
Configuring the Policy to Change the VLAN IDs of Outer Tags Based on the VLAN IDs of Outer and Inner Tags
Optional.
Perform this configuration to change the VLAN IDs of outer tags based on the VLAN IDs of inner and outer tags.
You can change the VLAN IDs of the outer tags in the packets that enter Access ports, Trunk ports, Hybrid ports, and
Uplink ports based on the VLAN IDs of the inner and outer tags in these packets.
Configuring the Policy to Change the VLAN IDs of Outer Tags Based on the Outer Tags
Optional.
Perform this configuration to change the VLAN IDs of outer tags based on these VLAN IDs.
You can change the VLAN IDs of the outer tags in the packets that enter Access ports, Trunk ports, Hybrid ports, and
Uplink ports based on these VLAN IDs.
Configuring a Policy to Change the VLAN IDs of Inner Tags Based on ACLs
Optional.
You can change the VLAN IDs of the inner tags in the packets that exit Access ports, Trunk ports, Hybrid ports, and
Uplink ports based on the packet content.
12-34
Configuration Guide Configuring QinQ
Configuring a Policy to Change the VLAN IDs of Outer Tags Based on ACLs
Optional.
You can change the VLAN IDs of the outer tags in the packets that exit Access ports, Trunk ports, Hybrid ports, and
Uplink ports based on the packet content.
Verification
Check whether the configuration takes effect and whether the port modifies the tags in received packets based on the policy.
Configuration Example
Configuring the Policy to Change the VLAN IDs of Outer Tags Based on the Outer Tags
12-35
Configuration Guide Configuring QinQ
Configuration Configure inner/outer tag modification policies on a port based on the actual networking requirements.
Steps The following example shows how to change VLAN IDs of outer tags based on outer tags and ACLs
respectively. For details about other policies, see the description above.
Configure a policy to change outer VLAN tags based on the outer VLAN tags.
Ruijie(config-acl-std)# exit
If an SP network provides a QoS policy based on the User Priority field of the inner tag, configure priority replication to
apply the QoS policy to the outer tag.
If an SP network provides a QoS policy based on the User Priority field of the inner tag, configure priority mapping to
apply the User Priority field provided by the SP network to the outer tag.
Notes
Only a Tunnel port can be configured with priority replication, which has a higher priority than trusted QoS but lower
than ACL-based QoS.
Priority replication and priority mapping cannot be both enabled on one port.
Only a Tunnel port can be configured with priority mapping, which prevails over QoS.
The configuration of priority mapping does not take effect if no trust mode is configured (trust none) or the trust mode is
not matched with priority mapping.
Configuration Steps
12-36
Configuration Guide Configuring QinQ
Only a Tunnel port can be configured with priority mapping or priority replication.
Configure priority replication to apply the inner tag-based QoS policy provided by the SP network.
Configure priority mapping to configure the User Priority field of the outer VLAN tag based on the inner tag and apply
the QoS policy flexibly.
To enable priority replication, run the inner-priority-trust enable command on the Tunnel port.
To enable priority mapping, run the dot1q-Tunnel cos inner-cos-value remark-cos outer-cos-value command on the
Tunnel port.
Verification
Run the show inner-priority-trust interfaces type intf-id command and the show interfaces type intf-id remark
command to check whether priority mapping or priority replication takes effect.
Configuration Example
12-37
Configuration Guide Configuring QinQ
Configuration To maintain the packet priority, you need to replicate the priority of the inner tag in a packet to the outer
Steps tag on the Tunnel port.
To flexibly control the packet priority on the Tunnel port, you can add outer tags of different priorities to
packets based on the priorities of the inner tags in the packets.
Configure priority replication.
Ruijie(config)# end
Port inner-priority-trust
------ -------------------
Gi0/1 enable
Gi0/1 Cos-To-Cos 3 5
Common Errors
See "Notes".
Configuration Effect
Transmit Layer-2 packets transparently without impact on the SP network and the customer network.
Notes
12-38
Configuration Guide Configuring QinQ
If STP is not enabled, you need to run the bridge-frame forwarding protocol bpdu command to enable STP
transparent transmission.
Transparent transmission enabled on a port takes effect only after enabled globally. When transparent transmission
takes effect on the port, the port does not participate in related protocol calculation. If the port receives a packet whose
destination MAC address is the special broadcast address, it determines that a networking error occurs and discards
the packet.
Configuration Steps
Enable STP transparent transmission in global configuration mode and interface configuration mode.
Run the l2protocol-tunnel stp command in global configuration mode to enable STP transparent transmission.
Run the l2protocol-tunnel stp enable command in interface configuration mode to enable STP transparent
transmission.
Enable GVRP transparent transmission in global configuration mode and interface configuration mode.
Run the l2protocol-tunnel gvrp command in global configuration mode to enable GVRP transparent transmission.
Run the l2protocol-tunnel gvrp enable command in interface configuration mode to enable GVRP transparent
transmission.
12-39
Configuration Guide Configuring QinQ
scription
Defaults By default, GVRP transparent transmission is disabled.
Command Global configuration mode
Mode
Usage Guide N/A
Optional.
When no transparent transmission address is configured, the default settings are used.
Verification
Run the show l2protocol-tunnel stp command and the show l2protocol-tunnel gvrp command to check whether the
Configuration Example
12-40
Configuration Guide Configuring QinQ
Scenario
Figure 12-14
Configuration On the PEs (Provider S1 and Provider S2), enable STP transparent transmission in global
Steps configuration mode and interface configuration mode.
Before you enable STP transparent transmission, enable STP in global configuration mode to allow the
switches to forward STP packets.
Provider S1 Step 1: Enable STP.
ProviderS1#configure terminal
ProviderS1(config)#vlan 200
ProviderS1(config-vlan)#exit
Step 3: Enable basic QinQ on the port connected to the customer network and use VLAN 200 for tunneling.
Step 4: Enable STP transparent transmission on the port connected to the customer network.
ProviderS1(config-if-GigabitEthernet 0/1)#exit
ProviderS1(config)#l2protocol-tunnel stp
12-41
Configuration Guide Configuring QinQ
ProviderS1#show running-config
Common Errors
Transparent transmission is not enabled in global configuration mode and interface configuration mode.
12.5 Monitoring
Displaying
Description Command
Displays whether the specified port is a Tunnel
show dot1q-tunnel [ interfaces intf-id ]
port.
12-42
Configuration Guide Configuring QinQ
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs QinQ. debug bridge qinq
12-43
Configuration Guide Configuring ERPS
13 Configuring ERPS
13.1 Overview
Ethernet Ring Protection Switching (ERPS), also known as G.8032, is a ring protection protocol developed by the
International Telecommunication Union (ITU). It is a data link layer protocol designed for Ethernet rings. ERPS prevents
broadcast storms caused by data loops in an idle Ethernet ring and can rapidly recover the communication between nodes in
the event that a link is disconnected in the Ethernet ring.
The Spanning Tree Protocol (STP) is another technique used to solve the Layer-2 loop problem. STP is at the mature
application stage but requires a relatively long (seconds) convergence time compared to ERPS. ERPS reaches a Layer-2
convergence speed of less than 50 ms, faster than that of STP.
Scenario
13.2 Applications
Application Description
Single-Ring Protection Only one ring exists in a network topology.
Tangent-Ring Protection Two rings in a network topology share one device.
Intersecting-Ring Protection Two or more rings in a network topology share one link.
Scenario
In Figure 13-1, the network topology has only one ring, only one ring protection link (RPL) owner node, and only one RPL. All
nodes must belong to the same ring automatic protection switching (R-APS) virtual local area network (VLAN).
Each link between devices must be a direct link without any intermediate device.
13-1
Configuration Guide Configuring ERPS
Figure 13-1
Remarks The four devices in the ring network are aggregation switches.
Deployment
ERPS blocks the RPL to prevent loops. In Figure 13-1, the link between Node 1 and Node 2 is an RPL.
Scenario
The two rings in a network topology that share one device need to be protected.
In Figure 13-2, the two rings in the network topology share one device. Each ring has only one PRL owner node and only one
RPL. The two rings belong to different R-APS VLANs.
Each link between devices must be a direct link without any intermediate device.
Figure 13-2
13-2
Configuration Guide Configuring ERPS
Deployment
Scenario
Two or more rings in a network topology share one link. (Each link between intersecting nodes must be a direct link without
any intermediate node.)
In Figure 13-3, four rings exist in the network topology. Each ring has only one PRL owner node and only one RPL. The four
rings belong to different R-APS VLANs.
Each link between devices must be a direct link without any intermediate device.
Figure 13-3
Deployment
13-3
Configuration Guide Configuring ERPS
13.3 Features
Basic Concepts
Ethernet Ring
Ethernet rings are classified into common Ethernet rings and Ethernet subrings.
Ethernet subring: An open topology that is mounted on other rings or networks through intersecting nodes and forms a
closed topology with the channel between the intersecting nodes belonging to other rings or networks.
An Ethernet ring (a common Ethernet ring or an Ethernet subring) can be in one of the following states:
Idle state: The physical links in the entire ring network are reachable.
RPL: An Ethernet ring (a common Ethernet ring or an Ethernet subring) has only one RPL. When an Ethernet ring is
idle, the RPL is blocked and does not forward data packets to prevent loops. In Figure 13-2, the link between Node 1
and Node 4 is the RPL of ERPS 1, and Node 4 blocks the RPL port (the port mapped to the RPL). The link between
Node 4 and Node 5 is the RPL of ERPS 2, and Node 5 blocks the RPL port.
Subring link: Belongs to a subring in intersecting rings and is controlled by the subring. In Figure 13-3, ERPS 1 is a
common Ethernet ring, and ERPS 2 is an Ethernet subring. The link between Node 4 and Node 5 and the link between
Node 3 and Node 5 belong to ERPS 2. The other links belong to ERPS 1.
The link between Node 3 and Node 4 belongs to ERPS 1 rather than ERPS 2, and the link is not controlled by ERPS 2.
R-APS virtual channel: Transmits ERPS packets of subrings between intersecting nodes in intersecting rings, but it
does not belong to the subring. In Figure 13-3, Node 1 blocks the RPL, and the packets of subring ERPS 2 are
transmitted through the direct link between Node 3 and Node 4 in Ethernet ring ERPS 1. The direct link between Node 3
and Node 4 is the R-APS virtual channel of ERPS 2.
Node
ERPS has the following node roles for a specific Ethernet ring:
RPL owner node: A node that is adjacent to an RPL and is used to block the RPL to prevent loops when the Ethernet
ring is free of faults. An Ethernet ring (a common Ethernet ring or an Ethernet subring) has only one RPL owner node. In
Figure 13-2, Node 1 functions as the RPL owner node of Ethernet ring ERPS 1, and Node 6 functions as the RPL owner
node of Ethernet subring ERPS 2.
Non-RPL owner node: Any other node than the RPL owner node in an Ethernet ring. In Figure 13-2, nodes except
Node 1 and Node 6 are non-RPL owner nodes of their respective rings.
13-4
Configuration Guide Configuring ERPS
ERPS has the following roles globally (not for a specific Ethernet ring):
Intersecting node: A node that belongs to multiple intersecting Ethernet rings. In Figure 13-3, Node 3 and Node 4 are
intersecting nodes.
Non-intersecting node: A node that belongs to only one intersecting Ethernet ring. In Figure 13-3, Node 2 is a
non-intersecting node.
VLAN
ERPS supports two types of VLAN: R-APS VLAN and data VLAN.
R-APS VLAN: A VLAN for transmitting ERPS packets. On a device, the ports accessing an ERPS ring belong to the
R-APS VLAN, and only such ports can join the R-APS VLAN. R-APS VLANs of different ERPS rings must be different.
IP address configuration is prohibited on the R-APS VLAN ports.
Data VLAN: A VLAN for transmitting data packets. Both ERPS ports and non-ERPS ports can be assigned to a data
VLAN.
R-APS VLANs of different ERPS rings must be configured differently to differentiate packets of different ERPS rings;
otherwise, ERPS may be abnormal.
ERPS Packet
ERPS packets (also called R-APS packets) are classified into Signal Fail (SF) packets, No Request (NR) packets, No
Request, RPL Blocked (NR, RB) packets, and flush packets.
SF packet: When the link of a node is down, the node sends SF packets to notify other nodes of its link failure.
NR packet: When the failed link is restored, the node sends an NR packet to notify the RPL owner node of its link
recovery.
(RR, RB) packet: When all nodes in an ERPS ring function properly, the RPL owner node sends (RR, RB) packets
periodically.
Flush packet: In an intersecting ring, when a topology change occurs in a subring, the intersecting nodes send flush
packets to notify other devices in the Ethernet ring to which the subring is connected.
ERPS Timer
ERPS timers include the Holdoff timer, Guard timer, and WTR timer.
Holdoff timer: Is used to minimize frequent ERPS topology switching due to intermittent link failures. After you
configure the Holdoff timer, ERPS performs topology switching only if the link failure still persists after the timer times
out.
Guard timer: Is used to prevent a device from receiving expired R-APS messages. When the device detects that a link
failure is cleared, it sends link recovery packets and starts the Guard timer. During the period before timer expiration, all
packets except flush packets indicating a subring topology change will be discarded.
Wait-to-restore (WTR) timer: Is effective only for RPL owner devices to avoid ring status misjudgment. When an RPL
owner device detects that a failure is cleared, it does perform topology switching immediately but only if the Ethernet
13-5
Configuration Guide Configuring ERPS
ring is recovered after the WTR timer times out. If a ring failure is detected again before timer expiration, the RPL owner
device cancels the timer and does not perform topology switching.
Overview
Feature Description
Ring Protection Prevents broadcast storms caused by data loops and can rapidly recover the communication
between nodes in the event that a link is disconnected in the Ethernet ring.
Load Balancing Configures multiple Ethernet subrings in one ring network and forwards the traffic of different VLANs
through different Ethernet subrings to balance load.
Working Principle
Normal Status
Link Failure
The nodes adjacent to a failed link block the failed link and send SF packets to notify other nodes in the same ring.
The R-APS (SF) packet triggers the RPL owner node to unblock the RPL port. All nodes update their MAC address
entries and ARP/ND entries and the ring enters the protection state.
Link Recovery
When a failed link is restored, adjacent nodes still block the link and send NR packets indicating that no local failure
exists.
When the RPL owner node receives the first R-APS (NR) packet, it starts the WTR timer.
When the timer times out, the RPL owner node blocks the RPL and sends an (NR, RB) packet.
After receiving the (NR, RB) packet, other nodes update their MAC address entries and ARP/ND entries, and the node
that sends the NR packet stops periodic packet transmission and unblocks the port.
Related Configuration
13-6
Configuration Guide Configuring ERPS
Run the erps raps-vlan command to configure the R-APS VLAN (management VLAN) of an ERPS ring to transmit ERPS
packets.
Run the rpl-port command in R-APS VLAN mode to configure the ERPS ring mapped to an R-APS VLAN.
Run the rpl-port command in R-APS VLAN mode to specify an RPL and an RPL owner node.
Working Principle
The multiple VLANs in a ring network can have their respective traffic forwarded by different paths through ERPS to balance
load.
In a physical ring network, multiple Ethernet rings can be configured to forward traffic of different VLANs (called protected
VLANs) by different topologies to realize load balancing.
In Figure 13-4, two Ethernet rings are configured with different protected VLANs in the physical ring network. Node 1 is the
RPL owner node of ERPS 1 and Node 3 is RPL owner node of ERPS 2. With such configurations, data of different VLANs
can be transmitted by different links to realize single-ring load balancing.
Related Configuration
Run the protected-instance command in R-APS VLAN mode to configure a protected VLAN set to realize load balancing.
13-7
Configuration Guide Configuring ERPS
13.4 Configuration
In an ERPS ring network, quickly switch services from a failed link to a normal link.
Notes
Only one RPL owner node and only one RPL can be configured in one ERPS ring.
All nodes in one ERPS ring must belong to the same R-APS VLAN.
13-8
Configuration Guide Configuring ERPS
Only trunk ports can join an ERPS ring, and the trunk attributes cannot be modified after the port joins the ring.
The ports in an ERPS ring do not participate in STP calculation regardless of whether the ERPS ring is enabled or not.
When you configure an ERPS ring, ensure that loops will not occur when STP calculation is disabled on ports in the
ring.
ERPS does not use the same ports as RERP and REUP.
Configuration Steps
Configure the same R-APS VLAN on all switches in the ERPS ring to transmit ERPS packets.
Configure the ports that form the ERPS ring as ERPS ring ports.
Configure a single device in each ERPS ring as an RPL owner node, which will control the port to be blocked.
Enable the specified R-APS ring in the same R-APS VLAN on each switch.
Verification
Run the show erps command one each node to check the configuration.
Related Commands
13-9
Configuration Guide Configuring ERPS
Usage Guide ERPS takes effect in a ring only after ERPS is enabled globally and for the ring respectively.
13-10
Configuration Guide Configuring ERPS
Configuration Example
Scenario
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
13-11
Configuration Guide Configuring ERPS
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
Verification Run the show erps command one each node to check the configuration. The configuration on Node 1 and
Node 4 is used as an example.
13-12
Configuration Guide Configuring ERPS
Node 1
Ruijie# show erps
ERPS Information
--------------------------------------------
Node 4
Ruijie# show erps
ERPS Information
--------------------------------------------
13-13
Configuration Guide Configuring ERPS
Common Errors
The R-APS ring has been enabled but ERPS is not enabled globally, so ERPS still does not take effect.
Different R-APS VLANs are configured for the nodes in one ring.
Configure a tangent ring that consists of two ERPS rings sharing one device to realize data link redundancy.
Quickly switch services from a failed link in one ERPS ring to a normal link.
Notes
The tangent-ring configuration is basically the same as the single-ring configuration. You only need to associate the two
ERPS rings on the tangent node.
Only one RPL owner node and only one RPL can be configured in each ERPS ring.
All nodes in one ERPS ring must belong to the same R-APS VLAN.
Only trunk ports can join an ERPS ring, and the trunk attributes cannot be modified after the port joins the ring.
The ports in an ERPS ring do not participate in STP calculation regardless of whether the ERPS ring is enabled or not.
When you configure an ERPS ring, ensure that loops will not occur when STP calculation is disabled on ports in the
ring.
ERPS does not use the same ports as RERP and REUP.
Configuration Steps
The tangent-ring configuration is basically the same as the single-ring configuration. You only need to associate the two
ERPS rings on the tangent node.
Verification
Run the show erps command one each node to check the configuration.
Related Commands
13-14
Configuration Guide Configuring ERPS
Configuration Example
Scenario
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
13-15
Configuration Guide Configuring ERPS
13-16
Configuration Guide Configuring ERPS
Node 4
Ruijie# configure terminal
Node 5
Ruijie# configure terminal
13-17
Configuration Guide Configuring ERPS
Node 6
Ruijie# configure terminal
Verification Run the show erps command one each node to check the configuration. The configuration on Node 3 is
used as an example.
13-18
Configuration Guide Configuring ERPS
ERPS Information
--------------------------------------------
--------------------------------------------
Common Errors
The R-APS ring has been enabled but ERPS is not enabled globally, so ERPS still does not take effect.
13-19
Configuration Guide Configuring ERPS
Different R-APS VLANs are configured for the nodes in one ring.
Configure multiple ERPS rings to share links, thus realizing data link redundancy.
Quickly switch services from a failed link in one ERPS ring to a normal link.
Notes
Only one RPL owner node and only one RPL can be configured in each ERPS ring.
All nodes in one ERPS ring must belong to the same R-APS VLAN.
All nodes in the Ethernet ring must be associated with their respective subrings.
Only trunk ports can join an ERPS ring, and the trunk attributes cannot be modified after the port joins the ring.
The ports in an ERPS ring do not participate in STP calculation regardless of whether the ERPS ring is enabled or not.
When you configure an ERPS ring, ensure that loops will not occur when STP calculation is disabled on ports in the
ring.
ERPS does not use the same ports as RERP and REUP.
Configuration Steps
Perform the following configuration after you complete the single-ring configuration described above:
If the link between intersecting nodes is faulty or blocked in the event of a subring topology change, the intersecting
nodes will send packets to instruct the nodes in other Ethernet rings associated with the subring to update the topology.
After nodes are associated with Ethernet subrings, ERPS packets of the subrings can be transmitted to other Ethernet
rings.
Verification
Run the show erps command one each node to check the configuration.
13-20
Configuration Guide Configuring ERPS
Related Commands
Configuration Example
Scenario
13-21
Configuration Guide Configuring ERPS
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
# Specify the port and RPL owner node for the RPL.
13-22
Configuration Guide Configuring ERPS
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
13-23
Configuration Guide Configuring ERPS
Node 3 # Perform the following configuration on Node 3 based on the configuration on Node 2:
# Enter privileged mode.
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
13-24
Configuration Guide Configuring ERPS
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
Node 4 # Perform the following configuration on Node 4 based on the configuration on Node 2.
# Enter privileged mode.
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
13-25
Configuration Guide Configuring ERPS
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
13-26
Configuration Guide Configuring ERPS
# Configure the ports to be added to the Ethernet ring and participate in ERPS calculation.
# Specify the port and RPL owner node for the RPL.
Node 6 # The configuration on Node 6 is basically the same as that on Node 5, except that you need to change the
R-APS VLAN to VLAN 200.
Node 7 # The configuration on Node 7 is basically the same as that on Node 5, except that you need to change the
R-APS VLAN to VLAN 300.
Verification Run the show erps command one each node to check the configuration. The configuration on Node 3 is
used as an example.
ERPS Information
--------------------------------------------
13-27
Configuration Guide Configuring ERPS
--------------------------------------------
--------------------------------------------
13-28
Configuration Guide Configuring ERPS
Common Errors
The R-APS ring has been enabled but ERPS is not enabled globally, so ERPS still does not take effect.
Different R-APS VLANs are configured for the nodes in one ERPS ring.
The nodes in the man ring are not associated with Ethernet subrings.
Control the direction of data flows in an ERPS ring to realize load balancing.
When a link in the ring network enabled with load balancing fails, the traffic can be quickly switched to a normal link.
Notes
Before you configure load balancing, configure the VLAN-instance relationship in MST configuration mode.
When you configure load balancing, add all data VLANs of the devices to the ERPS protected VLAN list; otherwise, any
unprotected VLAN will cause loops.
Only trunk ports can join an ERPS ring, and the trunk attributes cannot be modified after the port joins the ring.
The ports in an ERPS ring do not participate in STP calculation regardless of whether the ERPS ring is enabled or not.
When you configure an ERPS ring, ensure that loops will not occur when STP calculation is disabled on ports in the
ring.
ERPS does not use the same ports as RERP and REUP.
Configuration Steps
Perform the following configuration after you complete the single-ring configuration described above:
When you configure load balancing for an Ethernet ring, you must specify the protected VLAN.
Verification
Run the show erps command one each node to check the configuration.
Related Commands
13-29
Configuration Guide Configuring ERPS
Description
Command R-APS VLAN mode
Mode
Usage Guide The protected instance of the Ethernet ring is the protected VLAN.
Configuration Example
Scenario
# Configure the protected VLAN, RPL owner port, and RPL of ERPS 1.
13-30
Configuration Guide Configuring ERPS
Ruijie(config-mst)# exit
Ruijie(config-mst)# exit
Node 2 # The configuration on Node 2 is the same as that on Node 1, except that RPL configuration is not required
on Node 2.
Node 3 # The configuration on Node 3 is the same as that on Node 1, except that RPL configuration is not required
on Node 3.
# Configure the RPL of ERPS 2 on Node 3. The RPL of ERPS 1 does not need to be configured on Node 3.
Verification Run the show erps command one each node to check the configuration. The configuration on Node 1 is
used as an example.
Node 1
Ruijie# show erps
ERPS Information
13-31
Configuration Guide Configuring ERPS
--------------------------------------------
--------------------------------------------
Common Errors
The R-APS ring has been enabled but ERPS is not enabled globally, so ERPS still does not take effect.
Different R-APS VLANs are configured for the nodes in one ERPS ring.
13-32
Configuration Guide Configuring ERPS
Notes
When you modify the ERPS configuration on a device, to avoid loops, first run the shutdown command to shut down
an ERPS port in the ring. When the configuration is completed, run the no shutdown command to restart the port.
All nodes in one ERPS ring must belong to the same R-APS VLAN.
If you only need to modify the ERPS timers, skip this section.
Configuration Steps
Run the shutdown command to shut down an ERPS port and disable ERPS. Then modify the ERPS configuration according
to section 13.4.1 "Single-Ring Configuration (Basic Function)" and complete the following settings, which are optional.
Optional.
Perform this configuration in R-APS VLAN mode based on the actual application requirements.
Verification
Run the show erps command one each node to check the configuration.
Related Commands
13-33
Configuration Guide Configuring ERPS
the period before timer expiration, all packets except flush packets indicating a subring topology
change will be discarded.
WTR timer: Is effective only for RPL owner devices to avoid ring status misjudgment. When an RPL
owner device detects that a failure is cleared, it does perform topology switching immediately but only if
the Ethernet ring is recovered after the WTR timer times out. If a ring failure is detected again before
timer expiration, the RPL owner device cancels the timer and does not perform topology switching.
Configuration Example
Scenario
Configuration ERPS configuration exists in the ring. The ERPS ports need to be switched because of a physical
Steps topology change.
Run the shutdown command to shut down a link in the ring and configure the link mode of ports after
switching.
Disable ERPS in the ring in R-APS VLAN mode.
Reconfigure the ports that will participate in ERPS calculation.
Enable ERPS in the ring.
Modify the ERPS timers.
Node 1 # Enter privileged mode.
13-34
Configuration Guide Configuring ERPS
# Disable ERPS.
# Reconfigure the ports that will participate in ERPS calculation. Change Gig 0/2 to Gig 0/3.
# Enable ERPS.
Wait for 1 minute. When the ERPS ring is restored to Idle, run the show erps command on Node 1 and
Node 4 to check the configuration.
Node 1
Ruijie# show erps
ERPS Information
--------------------------------------------
13-35
Configuration Guide Configuring ERPS
Node 4
Ruijie# show erps
ERPS Information
--------------------------------------------
Common Errors
When the configuration is completed, the R-APS ring is not enabled again or the shutdown ports are not restarted by
using the no shutdown command.
13.5 Monitoring
Displaying
Description Command
Displays the ERPS configuration and show erps [ global | raps_vlan vlan-id [ sub_ring ] ]
status of devices.
13-36
IP Address & Application Configuration
2. Configuring ARP
3. Configuring IPv6
4. Configuring DHCP
5. Configuring DHCPv6
6. Configuring DNS
9. Configuring TFTP
1.1 Overview
Internet Protocol (IP) sends packets to the destination from the source by using logical (or virtual) addresses, namely IP
addresses. At the network layer, routers forward packets based on IP addresses.
1.2 Applications
Application Description
Configuring an IP Address for Two networks communicate through one switch interface.
Communication
A switch is connected to a Local Area Network (LAN), which is divided into two network segments, namely, 172.16.1.0/24
and 172.16.2.0/24. Computers in the two network segments can communicate with the Internet through switches and
computers between the two network segments can communicate with each other.
Deployment
Configure two IP addresses on VLAN1. One is a primary IP address and the other is a secondary IP address.
1-1
Command Reference Configuring IP Addresses and Services
On hosts in the network segment 172.16.1.0/24, set the gateway to 172.16.1.1; on hosts in the network segment
172.16.2.0/24, set the gateway to 172.16.2.1.
1.3 Features
Basic Concepts
IP Address
An IP address consists of 32 bits in binary. To facilitate writing and description, an IP address is generally expressed in
decimal. When expressed in decimal, an IP address is divided into four groups, with eight bits in each group. The value range
of each group is from 0 to 255, and groups are separated by a full stop ".". For example, "192.168.1.1" is an IP address
expressed in decimal.
IP addresses are used for interconnection at the IP layer. A 32-bit IP address consists of two parts, namely, the network bits
and the host bits. Based on the values of the first several bits in the network part, IP addresses in use can be classified into
four classes.
For a class A address, the most significant bit is 0.7 bits indicate a network ID, and 24 bits indicate a local address. There are
128 class A networks in total.
Figure 1-2
8 16 24 32
For a class B address, the first two most significant bits are 10.14 bits indicate a network ID, and 16 bits indicate a local
address. There are 16,348 class B networks in total.
Figure 1-3
8 16 24 32
For a class C address, the first three most significant bits are 110.21 bits indicate a network ID, and 8 bits indicate a local
address. There are 2,097,152 class C networks in total.
Figure 1-4
8 16 24 32
Class C IP 1 1 0 Network ID Host ID
address
1-2
Command Reference Configuring IP Addresses and Services
For a class D address, the first four most significant bits are 1110 and other bits indicate a multicast address.
Figure 1-5
8 16 24 32
Class D IP 1 1 1 0 Multicast address
address
The addresses with the first four most significant bits 1111 cannot be assigned. These addresses are called class E
addresses and are reserved.
When IP addresses are planned during network construction, IP addresses must be assigned based on the property of the
network to be built. If the network needs to be connected to the Internet, users should apply for IP addresses to the
corresponding agency. In China, you can apply to China Internet Network Information Center (CNNIC) for IP addresses.
Internet Corporation for Assigned Names and Numbers (ICANN) is the final organization responsible for IP address
assignment. If the network to be built is an internal private network, users do not need to apply for IP addresses. However, IP
addresses cannot be assigned at random. It is recommended to assign dedicated private network addresses.
Three address ranges are dedicated to private networks. These addresses are not used in the Internet. If the networks to
which these addresses are assigned need to be connected to the Internet, these IP addresses need to be converted into
valid Internet addresses. The following table lists private address ranges. Private network addresses are defined in RFC
1918.
For assignment of IP addresses, TCP/UDP ports, and other codes, refer to RFC 1166.
1-3
Command Reference Configuring IP Addresses and Services
Subnet Mask
A subnet mask is also a 32-bit value. The bits that identify the IP address are the network address. In a subnet mask, the IP
address bits corresponding to the bits whose values are 1s are the network address, and the IP address bits corresponding
to the bits whose values are 0s are the host address. For example, for class A networks, the subnet mask is 255.0.0.0. By
using network masks, you can divide a network into several subnets. Subnetting means to use some bits of the host address
as the network address, thus decreasing the host capacity, and increasing the number of networks. In this case, network
masks are called subnet masks.
Broadcast Packet
Broadcast packets refer to the packets destined for all hosts on a physical network. Ruijie products support two types of
broadcast packets: (1) directed broadcast, which indicates that all hosts on the specified network are packet receivers and
the host bits of a destination address are all 1s; (2) limited broadcast, which indicates that all hosts on all networks are packet
receivers and the 32 bits of a destination address are all 1s.
ICMP Packet
Internet Control Message Protocol (ICMP) is a sub-protocol in the TCP/IP suite for transmitting control messages between IP
hosts and network devices. It is mainly used to notify corresponding devices when the network performance becomes
abnormal.
TTL
Time To Live (TTL) refers to the number of network segments where packets are allowed to pass before the packets are
discarded. The TTL is a value in an IP packet. It informs the network whether packets should be discarded as the packets
stay on the network for a long time.
Features
Feature Description
IP Address The IP protocol can run on an interface only after the interface is configured with an IP address.
Broadcast Packet Broadcast addresses are configured and broadcast packets are forwarded and processed.
Processing
Sending ICMP ICMP packets are sent and received.
Packets
Limiting This function prevents Denial of Service (DoS) attacks.
Transmission Rate of
ICMP Error Packets
IP MTU Maximum Transmission Unit (MTU) of IP packets on an interface is configured.
IP TTL The TTL of unicast packets and broadcast packets is configured.
IP Source Route Source routes are checked.
IP Address Pool An IP address is assigned to the peer end during PPP negotiation.
1-4
Command Reference Configuring IP Addresses and Services
1.3.1 IP Address
IP addresses are obtained on an interface in the following ways:
These approaches are mutually exclusive. If you configure a new approach to obtain an IP address , the old IP address will
be overwritten.
For details on how to obtain IP addresses through DHCP, see the “DHCP” chapter. The following describes the other
three approaches for obtaining IP addresses.
A device can receive and send IP packets only after the device is configured with an IP address. Only the interface
configured with an IP address can run the IP protocol.
Ruijie products support multiple IP address configuration on one interface, of which one is a primary IP address and the
others are secondary IP addresses or slave addresses. Theoretically, the number of secondary IP addresses is not limited.
However, secondary IP addresses must belong to different networks and secondary IP addresses must be in different
networks from primary IP addresses. In network construction, secondary IP addresses are often used in the following
circumstances:
A network does not have enough host addresses. For example, a LAN now needs one class C network to allocate 254
addresses. However, when the number of hosts exceeds 254, one class C network is not enough and another class C
network is needed. In this case, two networks need to be connected. Therefore, more IP addresses are needed.
Many old networks are based on L2 bridged networks without subnetting. You can use secondary IP addresses to
upgrade the network to a routing network based on IP layer. For each subnet, one device is configured with one IP
address.
When two subnets of one network are isolated by another network, you can connect the isolated subnets by creating a
subnet of the isolated network and configuring a secondary address. One subnet cannot be configured on two or more
interfaces of a device.
Through this configuration, a point-to-point interface accepts the IP address assigned by the peer end through PPP
negotiation.
Related Configuration
1-5
Command Reference Configuring IP Addresses and Services
After an IP address is configured, the IP address can be used for communication when it passes conflict detection.
The ip address ip-address mask secondary command can be used to configure multiple secondary IP addresses.
Broadcast is divided into two types. One is limited broadcast, and the IP address is 255.255.255.255. Because the broadcast
is prohibited by routers, the broadcast is called local network broadcast. The other is directed broadcast. All host bits are 1s,
for example, 192.168.1.255/24. The broadcast packets with these IP addresses can be forwarded.
If IP network devices forward limited broadcast packets (destination IP address is 255.255.255.255), the network may be
overloaded, which severely affects network performance. This circumstance is called broadcast storm. Devices provide
some approaches to confine broadcast storms within the local network and prevent continuous spread of broadcast storms.
L2 network devices such as bridges and switches forward and spread broadcast storms.
The best way to avoid broadcast storm is to assign a broadcast address to each network, which is directed broadcast. This
requires the IP protocol to use directed broadcast rather than limited broadcast to spread data.
For details about broadcast storms, see RFC 919 and RFC 922.
Directed broadcast packets refer to the broadcast packets destined for a subnet. For example, packets whose destination
address is 172.16.16.255 are called directed broadcast packets. However, the node that generates the packets is not a
member of the destination subnet.
After receiving directed broadcast packets, the devices not directly connected to the destination subnet forward the packets.
After directed broadcast packets reach the devices directly connected to the subnet, the devices convert directed broadcast
packets to limited broadcast packets (destination IP address is 255.255.255.255) and broadcast the packets to all hosts on
the destination subnet at the link layer.
Related Configuration
To define broadcast packets of other addresses, run the ip broadcast-address command on the interface.
On the specified interface, you can run the ip directed-broadcast command to enable directed broadcast packets
forwarding. In this way, the interface can forward directed broadcast packets to networks that are directly connected.
Broadcast packets can be transmitted within the destination subnet without affecting forwarding of other directed
broadcast packets.
1-6
Command Reference Configuring IP Addresses and Services
On an interface, you can define an Access Control List (ACL) to transmit certain directed broadcast packets. After an
ACL is defined, only directed broadcast packets that match the ACL are forwarded.
A device receives non-broadcast packets destined for itself, and he packets contain the IP protocol that cannot be processed
by the device. The device sends an ICMP protocol unreachable message to the source host. Besides, if the device does not
know a route to forward packets, it also sends an ICMP host unreachable message.
Sometimes, a route may be less than optimal, which makes a device send packets from the interface that receives packets. If
a device sends packets from an interface on which it receives the packets, the device sends an ICMP redirection message to
the source, informing the source that the gateway is another device on the same subnet. In this way, the source sends
subsequent packets according to the optimal path.
Sometimes, a network device sends an ICMP mask request message to obtain the mask of a subnet.. The network device
that receives the ICMP mask request message sends a mask response message.
Related Configuration
You can run the [no] ip unreachables command to disable or enable the function.
You can run the [no] ip redirects command to disable or enable the function.
You can run the [no] ip mask-reply command to disable or enable the function.
This function limits the transmission rate of ICMP error packets to prevent DoS attacks by using the token bucket algorithm.
1-7
Command Reference Configuring IP Addresses and Services
If an IP packet needs to be fragmented but the Don’t Fragment (DF) bit in the header is set to 1, the device sends an ICMP
destination unreachable packet (code 4) to the source host. This ICMP error packet is used to discover the path MTU. When
there are too many other ICMP error packets, the ICMP destination unreachable packet (code 4) may not be sent. As a result,
the path MTU discovery function fails. To avoid this problem, you should limit the transmission rate of ICMP destination
unreachable packets and other ICMP error packets respectively.
Related Configuration
Configuring the Transmission Rate of ICMP Destination Unreachable Packets Triggered by DF Bit in the IP
Header
The ip icmp error-interval DF command can be used to configure the transmission rate.
The ip icmp error-interval command can be used to configure the transmission rate.
1.3.5 IP MTU
Working Principle
If an IP packet exceeds the IP MTU size, the RGOS software splits the packet. For all devices in the same physical network
segment, the IP MTU of interconnected interfaces must be the same. You can adjust the link MTU of interfaces on Ruijie
products. After the link MTU of interfaces is changed, the IP MTU of interfaces will be changed. The IP MTU of interfaces
automatically keeps consistent with the link MTU of interfaces. However, if the IP MTU of interfaces is adjusted, the link MTU
of interfaces will not be changed.
Related Configuration
1.3.6 IP TTL
Working Principle
An IP packet is transmitted from the source address to the destination address through routers. After a TTL value is set, the
TTL value decreases by 1 every time when the IP packet passes a router. When the TTL value drops to zero, the router
discards the packet. This prevents infinite transmission of useless packets and waste of bandwidth.
Related Configuration
1-8
Command Reference Configuring IP Addresses and Services
Ruijie products support IP source routes. When a device receives an IP packet, it checks the options such as source route,
loose source route, and record route in the IP packet header. These options are detailed in RFC 791. If the device detects
that the packet enables one option, it responds; if the device detects an invalid option, it sends an ICMP parameter error
message to the source and then discards the packet.
After the IP source route is enabled, the source route option is added to an IP packet to test the throughput of a specific
network or help the packet bypasses the failed network. However, this may cause network attacks such as source address
spoofing and IP spoofing.
Related Configuration
1.4 Configuration
1-9
Command Reference Configuring IP Addresses and Services
(Optional) It is used to configure the TTL of unicast packets and broadcast packets.
Setting the IP TTL
ip ttl Sets the TTL value.
Notes
N/A
Configuration Steps
Mandatory
Optional
If a point-to-point interface is not configured with an IP address, obtain an IP address through PPP negotiation.
Verification
Run the show ip interface command to check whether the configuration takes effect.
Related Commands
1-10
Command Reference Configuring IP Addresses and Services
Configuration Example
Ruijie#configure terminal
Verification Run the show ip interface command to check whether the configuration takes effect.
GigabitEthernet 0/0
IP address is:
192.168.23.110/24 (primary)
Set the broadcast address of an interface to 0.0.0.0 and enable directed broadcast forwarding.
Notes
N/A
1-11
Command Reference Configuring IP Addresses and Services
Configuration Steps
(Optional) Some old hosts may identify broadcast address 0.0.0.0 only. In this case, set the broadcast address of the
target interface to 0.0.0.0.
(Optional) If you want to enable a host to send broadcast packets to all hosts in a domain that it is not in, enable
directed broadcast forwarding.
Verification
Run the show running-config interface command to check whether the configuration takes effect.
Related Commands
1-12
Command Reference Configuring IP Addresses and Services
Configuration Example
Configuration On interface gigabitEthernet 0/1, set the destination address of IP broadcast packets to 0.0.0.0 and enable
Steps directed broadcast forwarding.
Ruijie#configure terminal
Verification Run the show ip interface command to check whether the configuration takes effect.
ip directed-broadcast
ip broadcast-address 0.0.0.0
Enable ICMP unreachable messages, ICMP redirection messages, and mask response messages on an interface.
Notes
N/A
Configuration Steps
(Optional) The no ip mask-reply command can be used to disable ICMP mask response messages.
1-13
Command Reference Configuring IP Addresses and Services
Verification
Run the show ip interface command to check whether the configuration takes effect.
Related Commands
Command ip unreachables
Parameter N/A
Description
Command Interface configuration mode
Mode
Usage Guide N/A
Command ip redirects
Parameter N/A
Description
Command Interface configuration mode
Mode
Usage Guide N/A
Command ip mask-reply
Parameter N/A
Description
Command Interface configuration mode
Mode
Usage Guide N/A
Configuration Example
Configuration Enable ICMP unreachable messages, ICMP redirection messages, and mask response messages on
Steps interface gigabitEthernet 0/1.
1-14
Command Reference Configuring IP Addresses and Services
Ruijie#configure terminal
Verification Run the show ip interface command to check whether the configuration takes effect.
GigabitEthernet 0/1
Notes
N/A
Configuration Steps
Configuring the Transmission Rate of ICMP Destination Unreachable Packets Triggered by the DF Bit in the IP
Header
Optional
Optional
Verification
Run the show running-config command to check whether the configuration takes effect.
1-15
Command Reference Configuring IP Addresses and Services
Related Commands
Configuring the Transmission Rate of ICMP Destination Unreachable Packets Triggered by the DF Bit in the IP
Header
1-16
Command Reference Configuring IP Addresses and Services
refresh cycle that actually takes effect is automatically converted to integral multiples of 10 milliseconds. For
example, if the refresh rate is set to 3 per 15 milliseconds, the refresh rate that actually takes effect is 2 per
10 milliseconds.
Configuration Example
Configuration Set the transmission rate of ICMP destination unreachable packets triggered the DF bit in IP header to 100
Steps packets per second and the transmission rate of other ICMP error packets to 10 packets per second.
Verification Run the show running-config command to check whether the configuration takes effect.
Notes
N/A
Configuration Steps
(Optional) When the IP MTU of interconnected interfaces is different on devices in the same physical network segment,
set the IP MTU to the same value.
Verification
Run the show ip interface command to check whether the configuration takes effect.
Related Commands
Command ip mtubytes
Parameter bytes: IP packet MTU. The value range is from 68 to 1,500 bytes.
Description
Command Interface configuration mode
Mode
1-17
Command Reference Configuring IP Addresses and Services
Configuration Example
Ruijie#configure terminal
Verification Run the show ip interface command to check whether the configuration takes effect.
Notes
N/A
Configuration Steps
Optional
Verification
Run the show run-config command to check whether the configuration takes effect.
Related Commands
1-18
Command Reference Configuring IP Addresses and Services
Configuration Example
Ruijie#configure terminal
Verification Run the show run-config command to check whether the configuration takes effect.
Ruijie#show running-config
ip ttl 100
Notes
N/A
Configuration Steps
Optional) The no ip source-route command can be used to disable the IP source route function.
Verification
Run the show run-config command to check whether the configuration takes effect.
Related Commands
Command ip source-route
Parameter N/A
Description
Command Global configuration mode.
Mode
Usage Guide N/A
Configuration Example
1-19
Command Reference Configuring IP Addresses and Services
Ruijie#configure terminal
Ruijie(config)#no ip source-route
Verification Run the show run-config command to check whether the configuration takes effect.
Ruijie#show running-config
no ip source-route
1.5 Monitoring
Displaying
Description Command
Displays the IP address of an interface. show ip interface [interface-typeinterface-number | brief]
1-20
Command Reference Configuring ARP
2 Configuring ARP
2.1 Overview
In a local area network (LAN), each IP network device has two addresses: 1) local address. Since the local address is
contained in the header of the data link layer (DLL) frame, it is a DLL address. However, it is processed by the MAC sublayer
at the DLL and thereby is usually called the MAC address. MAC addresses represent IP network devices on LANs. 2)
network address. Network addresses on the Internet represent IP network devices and also indicate the networks where the
devices reside.
In a LAN, two IP devices can communicate with each other only after they learn the 48-bit MAC address of each other. The
process of obtaining the MAC address based on the IP address is called address resolution. There are two types of address
resolution protocols: 1) Address Resolution Protocol (ARP); 2) Proxy ARP. ARP and Proxy ARP are described respectively in
RFC 826 and RFC 1027.
ARP is used to bind the MAC address with the IP address. When you enter an IP address, you can learn the corresponding
MAC address through ARP. Once the MAC address is obtained, the IP-MAC mapping will be saved to the ARP cache of the
network device. With the MAC address, the IP device can encapsulate DLL frames and send them to the LAN. By default, IP
and ARP packets on the Ethernet are encapsulated in Ethernet II frames.
2.2 Applications
Application Description
LAN-based ARP A user learns the MAC addresses of other users in the same network segment
through ARP.
Proxy ARP-based Transparent With Proxy ARP, a user can directly communicate with users in another network
Transmission without knowing that it exists.
A user needs to learn the MAC addresses of other users through ARP to communicate with them.
2-1
Command Reference Configuring ARP
Figure 2-1
Remarks A is a router.
B is a switch. It acts as the gateway.
C, D, and E are hosts.
Deployment
Enable Proxy ARP on the router to achieve direct communication between users in different network segments.
Figure 2-2
Deployment
Enable Proxy ARP on the subnet gateway. After configuration, the gateway can act as a proxy to enable a host without
any route information to obtain MAC addresses of IP users in other subnets.
2-2
Command Reference Configuring ARP
2.3 Features
Overview
Feature Description
Static ARP Users can manually specify IP-MAC mapping to prevent the device from learning incorrect ARP
entries.
ARP Attributes Users can specify the ARP entry timeout, ARP request retransmission times and interval, and
maximum number of unresolved ARP entries.
Trusted ARP Trusted ARP is used to prevent ARP spoofing.
Gratuitous ARP Gratuitous ARP is used to detect IP address conflicts and enable peripheral devices to update
ARP entries.
Proxy ARP A proxy replies to the ARP requests from other devices in different subnets.
Local Proxy ARP A proxy replies to the ARP requests from other devices in the same subnet.
ARP Trustworthiness Neighbor Unreachable Detection (NUD) is used to ensure that correct ARP entries are learned.
Detection
ARP-based IP Guard You can set the number of IP packets for triggering ARP drop to prevent a large number of
unknown unicast packets from being sent to the CPU.
Working Principle
If static ARP entries are configured, the device does not actively update ARP entries and these ARP entries permanently
exist.
When the device forwards Layer-3 packets, the static MAC address is encapsulated in the Ethernet header as the
destination MAC address.
Related Configuration
Run the arp ip-address mac-address type command in global configuration mode to configure static ARP entries. By default,
no static ARP entry is configured. ARP encapsulation supports only the Ethernet II type, which is represented by ARPA.
2-3
Command Reference Configuring ARP
Working Principle
ARP Timeout
The ARP timeout only applies to the dynamically learned IP-MAC mapping. When the ARP entry timeout expires, the device
sends a unicast ARP request packet to detect whether the peer end is online. If it receives an ARP reply from the peer end, it
does not delete this ARP entry. Otherwise, the device deletes this ARP entry.
When the ARP timeout is set to a smaller value, the mapping table stored in the ARP cache is more accurate but ARP
consumes more network bandwidth.
The device consecutively sends ARP requests to resolve an IP address to a MAC address. The shorter the retransmission
interval is, the faster the resolution is. The more times the ARP request is retransmitted, the more likely the resolution will
succeed and the more bandwidth ARP will consume.
In a LAN, ARP attacks and scanning may cause a large number of unresolved ARP entries generated on the gateway. As a
result, the gateway fails to learn the MAC addresses of the users. To prevent such attacks, users can configure the maximum
number of unresolved ARP entries.
Configure the maximum number of ARP entries on a specified interface to prevent ARP entry resource waste.
Related Configuration
Run the arp timeout seconds command in interface configuration mode to configure the ARP timeout. The default timeout is
3,600 seconds. You can change it based on actual situations.
Run the arp retry interval seconds command in global configuration mode to configure the ARP request
retransmission interval. The default interval is 1 second. You can change it based on actual situations.
Run the arp retry times number command in global configuration mode to configure the ARP request retransmission
times. The default number of retransmission times is 5. You can change it based on actual situations.
Run the arp unresolve number command in global configuration mode to configure the maximum number of unresolved
ARP entries. The default value is the maximum number of ARP entries supported by the device. You can change it based on
actual situations.
2-4
Command Reference Configuring ARP
Run the arp cache interface-limit limit command in interface configuration mode to configure the maximum number of ARP
entries learned on an interface. The default number is 0. You can change it based on actual situations. This command also
applies to static ARP entries.
As a type of special ARP entries, trusted ARP entries are added to the ARP table to prevent ARP spoofing. Trusted ARP
entries have characteristics of both static and dynamic ARP entries, with a priority higher than that of dynamic ARP entries
and lower than that of static ARP entries. Trusted ARP has an aging mechanism similar to that of dynamic ARP. When an
ARP entry ages, the device actively sends an ARP request packet to detect whether the corresponding user exists. If the
user sends a reply, the device regards the user active and updates the ARP timeout. Otherwise, the device deletes the ARP
entry. Trusted ARP has characteristics of static ARP, that is, the device does not learn ARP packets to update the MAC
address and interface ID in the ARP entry.
When a user goes online on a GSN client, the authentication server obtains the user's reliable IP-MAC mapping through the
access switch, and adds trusted ARP entries to the user's gateway. This process is transparent to the network administrator
and does not affect the administrator’s work on network management.
Since trusted ARP entries come from authentic sources and will not be updated, they can efficiently prevent ARP spoofing
targeted at the gateway.
Related Configuration
Run the service trustedarp command in global configuration mode to enable trusted ARP. This function is disabled by
default.
Run the arp trusted user-vlan vid1 translated-vlan vid2 command in global configuration mode to implement VLAN
redirection. This function is disabled by default. If the VLAN pushed by the server differs from the VLAN in the trusted
ARP entry, users need to enable VLAN redirection.
Run the arp trusted aging command in global configuration mode to enable ARP aging. Trusted ARP entries are not
aged by default.
Run the arp trusted number command in global configuration mode to configure the capacity of trusted ARP entries.
The default value is half of the total capacity of ARP entries. You can change it based on actual situations.
Gratuitous ARP packets are a special type of ARP packets. In a gratuitous ARP packet, the source and destination IP
addresses are the IP address of the local device. Gratuitous ARP packets have two purposes:
1. IP address conflict detection. If the device receives a gratuitous packet and finds the IP address in the packet the same
as its own IP address, it sends an ARP reply to notify the peer end of the IP address conflict.
2-5
Command Reference Configuring ARP
2. ARP update. When the MAC address of an interface changes, the device sends a gratuitous ARP packet to notify other
devices to update ARP entries.
The device can learn gratuitous ARP packets. After receiving a gratuitous ARP packet, the device checks whether the
corresponding dynamic ARP entry exists. If yes, the device updates the ARP entry based on the information carried in the
gratuitous ARP packet.
Related Configuration
Run the arp gratuitous-send interval seconds [number] command in interface configuration mode to enable gratuitous ARP.
This function is disabled on interfaces by default. Generally you need to enable this function on the gateway interface to
periodically update the MAC address of the gateway on the downlink devices, which prevents others from faking the
gateway.
The device enabled with Proxy ARP can help a host without any route information to obtain MAC addresses of IP users in
other subnets. For example, if the device receiving an ARP request finds the source IP address in a different network
segment from the destination IP address and knows the route to the destination address, the device sends an ARP reply
containing its own Ethernet MAC address. This is how Proxy ARP works.
Related Configuration
Run the ip proxy-arp command in interface configuration mode to enable Proxy ARP.
Local Proxy ARP means that a device acts as a proxy in the local VLAN (common VLAN or sub VLAN).
After local Proxy ARP is enabled, the device can help users to obtain the MAC addresses of other users in the same subnet.
For example, when port protection is enabled on the device, users connected to different ports are isolated at Layer 2. After
local Proxy ARP is enabled, the device receiving an ARP request acts as a proxy to send an ARP reply containing its own
Ethernet MAC address. In this case, different users communicate with each other through Layer-3 routes. This is how local
Proxy ARP works.
Related Configuration
2-6
Command Reference Configuring ARP
Run the local-proxy-arp command in interface configuration mode to enable local Proxy ARP.
The arp trust-monitor enable command is used to enable anti-ARP spoofing to prevent excessive useless ARP entries
from occupying device resources. After ARP trustworthiness detection is enabled on a Layer-3 interface, the device receives
ARP request packets from this interface:
1. If the corresponding entry does not exist, the device creates a dynamic ARP entry and performs NUD after 1 to 5
seconds. That is, the device begins to age the newly learned ARP entry and sends a unicast ARP request. If the device
receives an ARP update packet from the peer end within the aging time, it stores the entry. If not, it deletes the entry.
2. If the corresponding ARP entry exists, NUD is not performed.
3. If the MAC address in the existing dynamic ARP entry is updated, the device also performs NUD.
Since this function adds a strict confirmation procedure in the ARP learning process, it affects the efficiency of ARP learning.
After this function is disabled, NUD is not required for learning and updating ARP entries.
Related Configuration
Run the arp trust-monitor enable command in interface configuration mode to enable ARP trustworthiness detection. This
function is disabled by default.
When receiving unresolved IP packets, the switch cannot forward them through the hardware and thereby need to send them
to the CPU for address resolution. If a large number of such packets are sent to the CPU, the CPU will be congested,
affecting other services on the switch.
After ARP-based IP guard is enabled, the switch receiving ARP request packets counts the number of packets in which the
destination IP address hits this ARP entry. If this number is equal to the configured number, the switch sets a drop entry in
the hardware so that the hardware will not send the packets with this destination IP address to the CPU. After the address
resolution is complete, the switch continues to forward the packets with this destination IP address.
Related Configuration
Run the arp anti-ip-attack command in global configuration mode to configure the number of IP packets for triggering
ARP drop.
2-7
Command Reference Configuring ARP
By default, the switch discards the corresponding ARP entry after it receives three unknown unicast packets containing
the same destination IP address.
2.4 Configuration
(Optional) It is used to specify the ARP timeout, ARP request retransmission interval and
times, maximum number of unresolved ARP entries and maximum number of ARP
entries on an interface.
(Optional) It is used to act as a proxy to reply to ARP requests from the devices in
Enabling Proxy ARP different subnets.
(Optional) It is used to act as a proxy to reply to ARP requests from other devices in the
Enabling Local Proxy ARP same subnet.
2-8
Command Reference Configuring ARP
(Optional) It is used to unicast ARP request packets to ensure that correct ARP entries
Enabling ARP
are learned.
Trustworthiness Detection
arp trusted-monitor enable Enables ARP trustworthiness detection.
(Optional) It is used to prevent a large number of IP packets from being sent to the CPU.
Enabling ARP-based IP
Guard Configures the number of IP packets for
arp anti-ip-attack
triggering ARP drop.
Users can manually specify IP-MAC mapping to prevent the device from learning incorrect ARP entries.
Notes
After a static ARP entry is configured, the Layer-3 switch learns the physical port corresponding to the MAC address in the
static ARP entry before it performs Layer-3 routing.
Configuration Steps
Optional.
You can configure a static ARP entry to bind the IP address of the uplink device with its MAC address to prevent MAC
change caused by ARP attacks.
Verification
Run the show running-config command to check whether the configuration takes effect. Or run the show arp static
command to check whether a static ARP cache table is created.
Related Commands
2-9
Command Reference Configuring ARP
Since most hosts support dynamic ARP resolution, usually the static ARP mapping are not configured. Use
the clear arp-cache command to delete the dynamic ARP entries.
Configuration Example
Scenario
Configuration Configure a static ARP entry on B to statically bind the IP address of A with the MAC address.
Steps
Ruijie(config)#arp 192.168.23.1 00D0.F822.334B arpa
Verification Run the show arp static command to display the static ARP entry.
Common Errors
Users can specify the ARP timeout, ARP request retransmission interval and times, maximum number of unresolved ARP
entries, maximum number of ARP entries on an interface, and maximum number of ARP entries on a board.
Configuration Steps
Optional.
In a LAN, if a user goes online/offline frequently, it is recommended to set the ARP timeout small to delete invalid ARP
entries as soon as possible.
2-10
Command Reference Configuring ARP
Optional.
If the network resources are insufficient, it is recommended to set the ARP request retransmission interval great and the
retransmission times small to reduce the consumption of network bandwidths.
Configure the ARP request retransmission interval and times in global configuration mode.
Optional.
If the network resources are insufficient, it is recommended to set the maximum number of unresolved ARP entries
small to reduce the consumption of network bandwidths.
Configure the maximum number of unresolved ARP entries in global configuration mode.
Optional.
Configure the maximum number of ARP entries on an interface in interface configuration mode.
Verification
Run the show arp timeout command to display the timeouts of all interfaces.
Run the show running-config command to display the ARP request retransmission interval and times, maximum number of
unresolved ARP entries, maximum number of ARP entries on an interface, and maximum number of ARP entries on a board.
Related Commands
2-11
Command Reference Configuring ARP
retransmission interval longer. Ensure that this interval does not exceed the ARP timeout.
Configuration Example
Scenario
Remarks A: Router
B: Switch serving as a gateway
C, D and E: Users
Configuration Set the ARP timeout to 60 seconds on port GigabitEthernet 0/1.
Steps Set the maximum number of learned ARP entries to 300 on port GigabitEthernet 0/1.
Set the ARP request retransmission interval to 3 seconds.
Set the ARP request retransmission times to 4.
Set the maximum number of unresolved ARP entries to 4,096.
2-12
Command Reference Configuring ARP
Set the maximum number of learned ARP entries to 1,000 on Sub Slot 2 of Slot 1.
Ruijie(config-if-GigabitEthernet 0/1)#exit
Verification Run the show arp timeout command to display the timeout of the interface.
Run the show running-config command to display the ARP request retransmission interval and
times, maximum number of unresolved ARP entries and maximum number of ARP entries on the
interface,.
---------------------- ----------------
GigabitEthernet 0/1 60
2-13
Command Reference Configuring ARP
Notes
Configuration Steps
Verification
Run the show arp trusted command to display trusted ARP entries.
Run the show running command to check whether the configuration takes effect.
Related Commands
2-14
Command Reference Configuring ARP
Description specified, only the trusted ARP entries are displayed. Otherwise, the non-trusted ARP entries are displayed.
mask: ARP entries within the IP subnet are displayed. If keyword trusted is specified, only the trusted ARP
entries are displayed. Otherwise, the non-trusted ARP entries are displayed.
Command Privileged EXEC mode
Mode
Usage Guide N/A
2-15
Command Reference Configuring ARP
Configuration Example
Scenario
Remarks
A: Router
C, D and E: Users
Ruijie(config)#service trustedarp
Verification Run the show running-config command to check whether the configurations take effect.
service trustedarp
Common Errors
2-16
Command Reference Configuring ARP
Configuration Steps
Optional.
When a switch acts as the gateway, enable gratuitous ARP on an interface to prevent other users from learning
incorrect gateway MAC address in case of ARP spoofing.
Verification
Related Commands
Configuration Example
Scenario
Remarks
A: Router
C, D and E: Users
Configuration Configure the GigabitEthernet 0/0 interface to send a gratuitous ARP packet every 5 seconds.
Steps
2-17
Command Reference Configuring ARP
Verification Run the show running-config interface command to check whether the configuration takes effect.
Building configuration...
duplex auto
speed auto
The device acts as a proxy to reply to ARP request packets from other users.
Notes
Configuration Steps
Optional.
If a user without any route information needs to obtain the MAC addresses of the IP users in other subnets, enable
Proxy ARP on the device so that the device can act as a proxy to send ARP replies.
Verification
Run the show ip interface [name] command to check whether the configuration takes effect.
Related Commands
Command ip proxy-arp
Parameter N/A
Description
2-18
Command Reference Configuring ARP
Configuration Example
Scenario
Remarks
A: Router
C, D and E: Users
Verification Run the show ip interface command to check whether the configuration takes effect.
GigabitEthernet 0/0
IP address is:
No address configured
2-19
Command Reference Configuring ARP
Request packet : 0
Reply packet : 0
Unknown packet : 0
Echo request : 0
Echo reply : 0
Unreachable : 0
Source quench : 0
Routing redirect : 0
The device acts as a proxy to reply to ARP request packets from other users in the same subnet.
Notes
Configuration Steps
Optional.
If a user enabled with port protection needs to communicate with users in the VLAN, enable local Proxy ARP on the
device.
Verification
Run the show run interface [name]command to check whether the configuration takes effect.
Related Commands
Command local-proxy-arp
Parameter N/A
Description
2-20
Command Reference Configuring ARP
Configuration Example
Scenario
Remarks
A: Router
C, D and E: Users
Ruijie(config-if-VLAN 1)#local-proxy-arp
Verification Run the show ip interface command to check whether the configuration takes effect.
Building configuration...
interface VLAN 1
local-proxy-arp
2-21
Command Reference Configuring ARP
Enable ARP trustworthiness detection. If the device receiving an ARP request packet fails to find the corresponding entry, it
performs NUD. If the MAC address in the existing dynamic ARP entry is updated, the device immediately performs NUD to
prevent ARP attacks.
Notes
Since this function adds a strict confirmation procedure in the ARP learning process, it affects the efficiency of ARP learning.
Configuration Steps
Optional.
If there is a need for learning ARP entries, enable ARP trustworthiness detection on the device. If the device receiving
an ARP request packet fails to find the corresponding entry, it needs to send a unicast ARP request packet to check
whether the peer end exists. If yes, the device learns the ARP entry. If not, the device does not learn the ARP entry. If
the MAC address in the ARP entry changes, the device will immediately perform NUD to prevent ARP spoofing.
Verification
Run the show running-config interface [name]command to check whether the configuration take effect
Related Commands
Enable this function. If the MAC address of the existing dynamic ARP entry is updated, the device
immediately performs NUD.
After this function is disabled, the device does not perform NUD for learning or updating ARP entries.
2-22
Command Reference Configuring ARP
Configuration Example
Scenario
Remarks
A: Router
C, D and E: Users
Verification Run the show running-config interface command to check whether the configuration takes effect.
Building configuration...
duplex auto
speed auto
When the CPU receives the specified number of packets in which the destination IP address hits the ARP entry, all packets
with this destination IP address will not be sent to the CPU afterwards.
2-23
Command Reference Configuring ARP
Notes
Configuration Steps
Optional.
By default, when three unknown unicast packets are sent to the switch CPU, the drop entry is set. Users can run this
command to adjust the number of packets for triggering ARP drop based on the network environment. Users can also
disable this function.
Verification
Run the show run command to check whether the configuration takes effect.
Related Commands
Configuration Example
Scenario
Remarks
A: Router
2-24
Command Reference Configuring ARP
C, D and E: Users
Verification Run the show running-config command to check whether the configuration takes effect.
Ruijie#show running-config
Building configuration...
arp anti-ip-attack 10
2.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears dynamic ARP entries. In clear arp-cache
gateway authentication mode,
dynamic ARP entries in
authentication VLANs are not
cleared.
Displaying
Description Command
show arp [detail] [interface-type interface-number[ip [mask] | mac-address | static|
Displays the ARP table in detail.
complete | incomplete ]]
Displays the ARP table. show ip arp
Displays the trusted ARP table. show arp [detail] trusted [ip [mask]]
Displays the ARP entry counter. show arp counter
Displays the timeout of dynamic ARP
show arp timeout
entries.
Debugging
System resources are occupied when debugging information is output. Therefore, disable the debugging switch
immediately after use.
Description Command
2-25
Command Reference Configuring ARP
2-26
Command Reference Configuring IPv6
3 Configuring IPv6
3.1 Overview
As the Internet develops rapidly and IPv4 address space is becoming exhausted, IPv4 limitations become more and more
obvious. At present, many researches and practices on Internet Protocol Next Generation (IPng) have been conducted. The
IPng working group of the Internet Engineering Task Force (IETF) has formulated an IPng protocol named IP Version 6
(IPv6), which is described in RFC 2460.
Main Features
Compared with 32 bits in an IPv4 address, the length of an IPv6 address is extended to 128 bits. Therefore, the address
128
space has approximately 2 addresses. IPv6 adopts a hierarchical address allocation mode to support address allocation of
multiple subnets from the Internet core network to intranet subnet.
Since the design principle of the IPv6 packet header is to minimize the overhead of the packet header, some non-key fields
and optional fields are removed from the packet header to the extended packet header. Therefore, although the length of an
IPv6 address is four times of that of an IPv4 address, the IPv6 packet header is only two times of the IPv4 packet header.
The IPv6 packet header makes device forwarding more efficient. For example, with no checksum in the IPv6 packet header,
the IPv6 device does not need to process fragments (fragmentation is completed by the initiator).
IPv6 uses a convergence mechanism and defines a flexible hierarchical addressing and routing structure. Multiple networks
at the same layer are represented as a uniform network prefix on the upstream device, greatly reducing routing entries
maintained by the device and routing and storage overheads of the device.
IPv6 provides automatic discovery and auto-configuration functions to simplify management and maintenance of network
nodes. For example, Neighbor Discovery (ND), MTU Discovery, Router Advertisement (RA), Router Solicitation (RS), and
auto-configuration technologies provide related services for PnP. Particularly, IPv6 offers two types of auto-configuration:
stateful auto-configuration and stateless auto-configuration. In IPv4, Dynamic Host Configuration Protocol (DHCP) realizes
auto-configuration of the host IP address and related parameters. IPv6 inherits this auto-configuration service from IPv4 and
called it stateful auto-configuration (see DHCPv6). Besides, IPv6 also offers the stateless auto-configuration service.During
stateless auto-configuration, a host automatically obtains the local address of the link, address prefix of the local device, and
other related configurations.
Security
3-1
Command Reference Configuring IPv6
As an optional extension protocol of IPv4, Internet Protocol Security (IPSec) is a part of IPv6 to provide security for IPv6
packets. At present, IPv6 provides two mechanisms: Authentication Header (AH) and Encapsulated Security Payload (ESP).
AH provides data integrity and authenticates IP packet sources to ensure that the packets originate from the nodes identified
by the source addresses. ESP provides data encryption to realize end-to-end encryption.
A new field in the IPv6 packet header defines how to identify and process data streams. The Flow Label field in the IPv6
packet header is used to authenticate a data flow. Using this field, IPv6 allows users to propose requirements on the
communication quality. , A device can identify all packets belonging to a specific data stream based on this field and process
these packets according to user requirements.
IPv6 Neighbor Discovery Protocol (NDP) uses a series of Internet Control Message Protocol Version 6 (ICMPv6) packets to
implement interactive management of neighboring nodes (nodes on the same link). IPv6 uses NDP packets and efficient
multicast/unicast ND packets instead of broadcast-based Address Resolution Protocol (ARP) and Control Message Protocol
Version 4 (ICMPv4) router discovery packets.
Extensibility
With strong extensibility, IPv6 features can be added to the extended packet header following the IPv6 packet header. Unlike
IPv4, the IPv6 packet header can support at most 40 bytes of options. For an IPv6 packet, the length of the extended packet
header is restricted only by the maximum number of bytes in the packet.
RFC 4443 - Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification
3.2 Applications
Application Description
Communication Based on IPv6 Two PCs communicate with each other using IPv6 addresses.
Addresses
3-2
Command Reference Configuring IPv6
As shown in Figure 3-1, Host 1 and Host 2 communicate with each other using IPv6 addresses.
Figure 3-1
Deployment
Hosts can use the stateless address auto-configuration or DHCPv6 address assignment mode. After addresses are
configured, hosts can communicate with each other using IPv6 addresses.
3.3 Features
Overview
Feature Description
IPv6 Address Format The IPv6 address format makes IPv6 have a larger address space and flexible representation
approach.
IPv6 Address Type IPv6 identifies network applications based on addresses.
IPv6 Packet Header IPv6 simplifies the fixed and extended packet headers to improve the data packet processing and
Format forwarding efficiency of the device.
IPv6 Neighbor ND functions include router discovery, prefix discovery, parameter discovery, address
Discovery auto-configuration, address resolution (like ARP), next-hop determination, Neighbor Unreachability
Detection (NUD), Duplicate Address Detection (DAD), and redirection.
IPv6 Source Routing This feature is used to specify the intermediate nodes that a packet passes through along the path to
the destination address. It is similar to the IPv4 loose source routing option and loose record routing
option.
Restricting the This feature prevents DoS attacks.
Sending Rate of
ICMPv6 Error
Messages
IPv6 HOP-LIMIT This feature prevents useless unicast packets from being unlimitedly transmitted on the network and
wasting network bandwidth.
3-3
Command Reference Configuring IPv6
2001:ABCD:1234:5678:AAAA:BBBB:1200:2100
800:0:0:0:0:0:0:1
1080:0:0:0:8:800:200C:417A
These integers are hexadecimal, where A to F represent 10 to 15. Each integer in the address must be represented, except
the leading zeros in each integer. If an IPv6 address contains a string of zeros (as shown in the second and third examples
above), a double colon (::) can be used to represent these zeros. That is, 800:0:0:0:0:0:0:1 can be represented as 800::1.
A double colon indicates that this address can be extended to a complete 128-bit address. In this approach, only when the
16-bit integers are all 0s, can they can be replaced with a double colon. A double colon can exist once in an IPv6 address.
In IPv4/IPv6 mixed environment, an address has a mixed representation. In an IPv6 address, the least significant 32 bits can
be used to represent an IPv4 address. This IPv6 address can be represented in a mixed manner, that is, X:X:X:X:X:X:d.d.d.d,
where X is a hexadecimal integer and d is a 8-bit decimal integer. For example, 0:0:0:0:0:0:192.168.20.1 is a valid IPv6
address. It can be abbreviated to :::192.168.20.1. Typical applications are IPv4-compatible IPv6 addresses and
IPv4-mapped IPv6 addresses. If the first 96 bits are 0 in an IPv4-compatible IPv6 address, this address can be represented
as ::A.B.C.D, e.g., ::1.1.1.1. IPv4-compatible addresses have been abolished at present. IPv4-mapped IPv6 addresses are
represented as ::FFFF:A.B.C.D to represent IPv4 addresses as IPv6 addresses. For example, IPv4 address 1.1.1.1 mapped
to an IPv6 address is represented as ::FFFF:1.1.1.1.
Since an IPv6 address is divided into two parts: subnet prefix and interface ID, it can be represented as an address with an
additional value according to an address allocation method like Classless Inter-Domain Routing (CIDR). The additional value
indicates how many bits (subnet prefix) in the address represent the network part. That is, the IPv6 node address contains
the prefix length. The prefix length is separated from the IPv6 address by a slash. For example, in 12AB::CD30:0:0:0:0/60,
the prefix length used for routing is 60 bits.
Related Configuration
After configuration, a host can communicate with others using the configured IPv6 address based on DAD.
Unicast address: ID of a single interface. Packets destined to a unicast address are sent to the interface identified by
this address.
3-4
Command Reference Configuring IPv6
Multicast address: ID of an interface group (the interfaces generally belong to different nodes). Packets destined to a
multicast address are sent to all interfaces included in this address.
Anycast address: ID of an interface group. Packets destined to an anycast address are sent to one interface included in
this address (the nearest interface according to the routing protocol).
Unicast Addresses
Unicast addresses fall into five types: unspecified address, loopback address, link-local address, site-local address, and
global unicast address. At present, site-local addresses have been abolished. Except unspecified, loopback, and link-local
addresses, all other addresses are global unicast addresses.
Unspecified address
The unspecified address is 0:0:0:0:0:0:0:0, which is usually abbreviated to ::. It has two general purposes:
1. If a host has no unicast address when started, it uses the unspecified address as the source address to send an RS
packet to obtain prefix information from the gateway and thereby generate a unicast address.
2. When an IPv6 address is configured for a host, the device detects whether the address conflicts with addresses of other
hosts in the same network segment and uses the unspecified address as the source address to send a Neighbor
Solicitation (NS) packet (similar to a free ARP packet).
Loopback address
The loopback address is 0:0:0:0:0:0:0:1, which is usually abbreviated to ::1. Similar to IPv4 address 127.0.0.1, the loopback
address is generally used by a node to send itself packets.
Link-local address
Figure 3-2
The link-local address is used on a single network link to assign IDs to hosts. The address identified by the first 10 bits in the
prefix is the link-local address. A device never forwards packets in which the source or destination address contains the
link-local address. The intermediate 54 bits in the address are all 0s. The last 64 bits represent the interface ID, which allows
64
a single network to connect 2 -1 hosts.
Site-local address
Figure 3-3
3-5
Command Reference Configuring IPv6
A site-local address is used to transmit data within a site. A device never forwards packets in which the source or destination
address contains the site-local address to the Internet. That is, these packets can be forwarded only within the site. A site can
be assumed as an enterprise's local area network (LAN). Such addresses are similar to IPv4 private addresses such as
192.168.0.0/16. RFC 3879 has abolished site-local addresses. New addresses do not support the first 10 bits as the prefix
and are all regarded as global unicast addresses. Existing addresses can continue to use this prefix.
Figure 3-4
Among global unicast addresses, there is a type of IPv4-embedded IPv6 addresses, including IPv4-compatible IPv6
addresses and IPv4-mapped IPv6 addresses. They are used for interconnection between IPv4 nodes and IPv6 nodes.
Figure 3-5
Figure 3-6
IPv4-compatible IPv6 addresses are mainly used on automatic tunnels. Nodes on automatic tunnels support both IPv4 and
IPv6. Using these addresses, IPv4 devices transmit IPv6 packets over tunnels. At present, IPv4-compatible IPv6 addresses
have been abolished. IPv4-mapped IPv6 addresses are used by IPv6 nodes to access IPv4-only nodes. For example, if the
IPv6 application on an IPv4/IPv6 host requests to resolve the name of an IPv4-only host, the name server dynamically
generates an IPv4-mapped IPv6 address and returns it to the IPv6 application.
Multicast Addresses
3-6
Command Reference Configuring IPv6
| 8 | 4| 4| 112 bits |
+--------+----+----+---------------------------------------------+
|11111111|flgs|scop| group ID |
+--------+----+----+---------------------------------------------+
The first byte in the address is all 1s, representing a multicast address.
Flag field
The flag field consists of four bits. Currently only the fourth bit is specified to indicate whether this address is a known
multicast address assigned by the Internet Assigned Numbers Authority (IANA) or a temporary multicast address in a certain
scenario. If the flag bit is 0, this address is a known multicast address. If the flag bit is 1, this address is a temporary multicast
address. The remaining three flag bits are reserved for future use.
Scope field
The scope field consists of four bits to indicate the multicast range. That is, a multicast group includes the local node, local
link, local site, and any node in the IPv6 global address space.
Group ID field
The group ID consists of 112 bits to identify a multicast group. A multicast ID can represent different groups based on the flag
and scope fields.
IPv6 multicast addresses are prefixed with FF00::/8. One IPv6 multicast address usually identifies interfaces on a series of
different nodes. After a packet is sent to a multicast address, the packet is then forwarded to the interfaces on each node
identified by this multicast address. For a node (host or device), you must add the following multicast addresses:
3. Multicast address for all nodes on the local link, that is, FF02::1
If the node is a device, it also has to be added to the multicast address of all devices on the local link, that is, FF02::2.
The solicited-node multicast address corresponds to the IPv6 unicast and anycast address. You must add a corresponding
solicited-node multicast address for each configured unicast and anycast address of an IPv6 node. The solicited-node
multicast address is prefixed with FF02:0:0:0:0:1:FF00:0000/104. The remaining 24 bits are composed of the least significant
24 bits of the unicast or anycast address. For example, if the unicast address is FE80::2AA:FF:FE21:1234, the solicited-node
multicast address is FF02::1:FF21:1234.
The solicited-node multicast address is usually used in NS packets. Its address format is as follows:
Figure 3-7
3-7
Command Reference Configuring IPv6
Anycast Addresses
Similar to a multicast address, an anycast address can also be shared by multiple nodes. The difference is that only one
node in the anycast address receives data packets while all nodes included in the multicast address receive data packets.
Since anycast addresses are allocated to the normal IPv6 unicast address space, they have the same formats with unicast
addresses. Every member in an anycast address must be configured explicitly for easier recognition.
Anycast addresses can be allocated only to devices and cannot be used as source addresses of packets.
RFC 2373 redefines an anycast address called subnet-router anycast address. Figure 3-8 shows the format of a
subnet-router anycast address. Such an address consists of the subnet prefix and a series of 0s (interface ID).
The subnet prefix identifies a specified link (subnet). Packets destined to the subnet-router anycast address will be forwarded
to a device on this subnet. A subnet-router anycast address is usually used by the application on a node to communicate with
a device on a remote subnet.
Figure 3-8
Related Configuration
Run the ipv6 address command to configure the IPv6 unicast address and anycast address of an interface.
After an interface goes up, it will automatically join the corresponding multicast group.
Figure 3-9
3-8
Command Reference Configuring IPv6
The IPv4 packet header is in unit of four bytes. The IPv6 packet header consists of 40 bytes, in unit of eight bytes. The IPv6
packet header has the following fields:
Version
Traffic Class
This field consists of 8 bits. This field indicates the service provided by this packet, similar to the TOS field in an IPv4
address.
Flow Label
This field consists of 20 bits to identify packets belonging to the same service flow. One node can act as the Tx source of
multiple service flows. The flow label and source address uniquely identify one service flow.
Payload Length
This field consists of 16 bits, including the packet payload length and the length of IPv6 extended options (if available). That
is, it includes the IPv6 packet length except the IPv6 packet header.
Next Header
This field indicates the protocol type in the header field following the IPv6 packet header. Similar to the Protocol field in the
IPv4 address header, the Next Header field is used to indicate whether the upper layer uses TCP or UDP. It can also be used
to indicate existence of the IPv6 extension header.
Hop Limit
This field consists of 8 bits. Every time a device forwards a packet, the field value reduced by 1. If the field value reaches 0,
this packet will be discarded. It is similar to the Lifetime field in the IPv4 packet header.
Source Address
3-9
Command Reference Configuring IPv6
This field consists of 128 bits and indicates the sender address in an IPv6 packet.
Destination Address
This field consists of 128 bits and indicates the receiver address in an IPv6 packet.
Hop-By-Hop Options
This extension header must follow the IPv6 packet header. It consists of option data to be checked on each node along the
path.
This extension header indicates the nodes that a packet passes through from the source address to the destination address.
It consists of the address list of the passerby nodes. The initial destination address in the IPv6 packet header is the first
address among the addresses in the routing header, but not the final destination address of the packet. After the node
corresponding to the destination address in the IPv6 packet header receives a packet, it processes the IPv6 packet header
and routing header, and sends the packet to the second address, the third address, and so on in the routing header list till the
packet reaches the final destination address.
Fragment
The source node uses this extension header to fragment the packets of which the length exceeds the path MTU (PMTU).
Destination Options
This extension header replaces the option fields of IPv4. At present, the Destination Options field can only be filled with
integral multiples of 64 bits (eight bytes) if required. This extension header can be used to carry information to be checked by
the destination node.
Upper-layer header
This extension header indicates the protocol used at the upper layer, such as TCP (6) and UDP (17).
Another two extension headers AH and ESP will be described in the Configuring IPSec.
All the above ICMP packets carry one or multiple options. These options are optional in some cases but are significant in
other cases. NDP mainly defines five options: Source Link-Layer Address Option, Type=1; Target Link-Layer Address Option,
Type=2; Prefix Information Option, Type=3; Redirection Header Option, Type=4; MTU Option, Type=5.
Address Resolution
3-10
Command Reference Configuring IPv6
When a node attempts to communicate with another, the node has to obtain the link-layer address of the peer end by
sending it an NS packet. In this packet, the destination address is the solicited-node multicast address corresponding to the
IPv6 address of the destination node. This packet also contains the link-layer address of the source node. After receiving this
NS packet, the peer end replies with an NA packet in which the destination address is the source address of the NS packet,
that is, the link-layer address of the solicited node. After receiving this NA packet, the source node can communicate with the
destination node.
Figure 3-10
NUD
If the reachable time of a neighbor has elapsed but an IPv6 unicast packet needs to be sent to it, the device performs NUD.
While performing NUD, the device can continue to forward IPv6 packets to the neighbor.
DAD
To know whether the IPv6 address configured for a host is unique, the device needs to perform DAD by sending an NS
packet in which the source IPv6 address is the unspecified address.
If a device detects an address conflict, this address is set to the duplicate status so that the device cannot receive IPv6
packets with this address being the destination address. Meanwhile, the device also starts a timer for this duplicate address
to periodically perform DAD. If no address conflict is detected in re-detection, this address can be properly used.
Figure 3-11
3-11
Command Reference Configuring IPv6
One or multiple IPv6 address prefixes (used for on-link determination or stateless address auto-configuration)
Default device information (whether the device acts as the default device; if yes, the interval for acting as the default
device is also included.)
Other information provided for host configuration, such as hop limit, MTU, and NS retransmission interval
RA packets can also be used as replies to the RS packets sent by a host. Using RS packets, a host can obtain the
auto-configured information immediately after started rather than wait for the RA packets sent by the device. If no unicast
address is configured for a newly started host, the host includes the unspecified address (0:0:0:0:0:0:0:0) as the source
address in the RS packet. Otherwise, the host uses the configured unicast address as the source address and the multicast
address of all local routing devices (FF02::2) as the destination address in the RS packet. As an reply to the RS packet, the
RA packet uses the source address of the RS packet as the destination address (if the source address is the unspecified
address, it uses the multicast address of all local nodes (FF02::1).
Ra-lifetime: Lifetime of a router, that is, whether the device acts as the default router on the local link and the interval for
acting as the default router.
Prefix: Prefix of an IPv6 address on the local link. It is used for on-link determination or stateless address
auto-configuration, including other parameter configurations related to the prefix.
Reachabletime: Period when the device regards a neighbor reachable after detecting a Confirm Neighbor Reachability
event.
Ra-hoplimit: Hops of the RA packet, used to set the hop limit for a host to send a unicast packet.
Managed-config-flag: Whether a host receiving this RA packet obtains the address through stateful auto-configuration.
3-12
Command Reference Configuring IPv6
Other-config-flag: Whether a host receiving this RA packet uses DHCPv6 to obtain other information except the IPv6
address for auto-configuration.
Redirection
If a router receiving an IPv6 packet finds a better next hop, it sends the ICMP Redirect packet to inform the host of the better
next hop. The host will directly send the IPv6 packet to the better next hop next time.
You can configure the maximum number of unresolved ND entries to prevent malicious scanning network segments
from generating a large number of unresolved ND entries and occupying excessive memory space.
You can configure the maximum number of neighbor learning entries on an interface to prevent neighbor learning
attacks from occupying ND entries and memory space of the device and affecting forwarding efficiency of the device.
Related Configuration
Run the no ipv6 redirects command in interface configuration mode to prohibit an interface from sending Redirect
packets.
Run the ipv6 nd dad attempts value command in interface configuration mode to configure the number of NS packets
consecutively sent by DAD. Value 0 indicates disabling DAD for IPv6 addresses on this interface.
Run the no ipv6 nd dad attempts command to restore the default configuration.
By default, the device performs DAD on duplicate IPv6 addresses every 60 seconds.
Run the ipv6 nd dad retry value command in global configuration mode to configure the DAD interval. Value 0
indicates disabling DAD for the device.
Run the no ipv6 nd dad retry command to restore the default configuration.
Run the ipv6 nd reachable-time milliseconds command in interface configuration mode to modify the reachable time of
a neighbor.
3-13
Command Reference Configuring IPv6
The default stale time of an IPv6 neighbor is 1 hour. After the time elapses, the device performs NUD.
Run the ipv6 nd stale-time seconds command in interface configuration mode to modify the stale time of a neighbor.
By default, the prefix in an RA packet on an interface is the prefix configured in the ipv6 address command on the
interface.
Run the ipv6 nd prefix command in interface configuration mode to add or delete prefixes and prefix parameters that
can be advertised.
Enabling/disabling RA Suppression
Run the no ipv6 nd suppress-ra command in interface configuration mode to disable RA suppression.
The default value is 0, indicating no restriction. It is only restricted to the ND entry capacity supported by the device.
Run the ipv6 nd unresolved number command in global configuration mode to restrict the number of unresolved
neighbors. After the entries exceed this restriction, the device does not actively resolve subsequent packets.
Run the ipv6 nd cache interface-limit value command in interface configuration mode to restrict the number of
neighbors learned on an interface. The default value is 0, indicating no restriction.
Similar to the IPv4 loose source routing and loose record routing options, the IPv6 routing header is used to specify the
intermediate nodes that the packet passes through along the path to the destination address. It uses the following format:
Figure 3-11
The Segments Left field is used to indicate how many intermediate nodes are specified in the routing header for the packet to
pass through from the current node to the final destination address.
3-14
Command Reference Configuring IPv6
Currently, two routing types are defined: 0 and 2. The Type 2 routing header is used for mobile communication. RFC 2460
defines the Type 0 routing header (similar to the loose source routing option of IPv4). The format of the Type 0 routing
header is as follows:
Figure 3-12
The following example describes the application of the Type 0 routing header, as shown in Figure 3-13.
Figure 3-13
Host 1 sends Host 2 a packet specifying the intermediate nodes Router 2 and Router 3. The following table lists the changes
of fields related to the IPv6 header and routing header during the forwarding process.
Transmission Fields in the IPv6 Header Fields Related to the Type 0 Routing Header
Node
Host 1 Source address=1000::2 Segments Left=2
Destination address=1001::1 (Address of Router 2) Address 1=1002::1 (Address of Router 3)
3-15
Command Reference Configuring IPv6
5. Host 1 sends a packet in which the destination address is Router 2's address 1001::1, the Type 0 routing header is filled
with Router 3's address 1002::1 and Host 2's address 1003::2, and the value of the Segments Left field is 2.
7. Router 2 changes the destination address in the IPv6 header to Address 1 in the routing header. That is, the destination
address becomes Router 3's address 1002::1, Address 1 in the routing header becomes Router 2's address 1001::1,
and the value of the Segments Left field becomes 1. After modification, Router 2 forwards the packet to Router 3.
8. Router 3 changes the destination address in the IPv6 header to Address 2 in the routing header. That is, the destination
address becomes Host 2's address 1003::2, Address 2 in the routing header becomes Router 3's address 1002::1, and
the value of the Segments Left field becomes 0. After modification, Router 3 forwards the packet to Host 2.
The Type 0 routing header may be used to initiate DoS attacks. As shown in Figure 3-14, Host 1 sends packets to Host 2 at 1
Mbps and forges a routing header to cause multiple round-trips between Router 2 and Router 3 (50 times from Router 2 to
Router 3 and 49 times from Router 3 to Router 2). At the time, the routing header generates the traffic amplification effect:"
50 Mbps from Router 2 to Router 3 and 49 Mbps from Router 3 to Router 2." Due to this security problem, RFC 5095
abolished the Type 0 routing header.
Figure 3-14
3-16
Command Reference Configuring IPv6
Related Configuration
Run the ipv6 source-route command in global configuration mode to enable IPv6 source routing.
The destination node or intermediate router sends ICMPv6 error messages to report the errors incurred during IPv6 data
packet forwarding and transmission. There are mainly four types of error messages: Destination Unreachable, Packet Too
Big, Time Exceeded, and Parameter Problem.
When receiving an invalid IPv6 packet, a device discards the packet and sends back an ICMPv6 error message to the source
IPv6 address. In the case of invalid IPv6 packet attacks, the device may continuously reply to ICMPv6 error messages till
device resources are exhausted and thereby fail to properly provide services. To solve this problem, you can restrict the
sending rate of ICMPv6 error messages.
If the length of an IPv6 packet to be forwarded exceeds the IPv6 MTU of the outbound interface, the router discards this IPv6
packet and sends back an ICMPv6 Packet Too Big message to the source IPv6 address. This error message is mainly used
as part of the IPv6 PMTUD process. If the sending rate of ICMPv6 error messages is restricted due to excessive other
ICMPv6 error messages, ICMPv6 Packet Too Big messages may be filtered, causing failure of IPv6 PMTUD. Therefore, it is
recommended to restrict the sending rate of ICMPv6 Packet Too Big messages independently of other ICMPv6 error
messages.
Although ICMPv6 Redirect packets are not ICMPv6 error messages, Ruijie recommends restricting their rates together with
ICMPv6 error messages except Packet Too Big messages.
3-17
Command Reference Configuring IPv6
Related Configuration
Run the ipv6 icmp error-interval too-big command to configure the sending rate of ICMPv6 Packet Too Big
messages.
Run the ipv6 icmp error-interval command to configure the sending rate of other ICMPv6 error messages.
An IPv6 data packet passes through routers from the source address and destination address. If a hop limit is configured, it
decreases by one every time the packet passes through a router. When the hop limit decreases to 0, the router discards the
packet to prevent this useless packet from being unlimitedly transmitted on the network and wasting network bandwidth. The
hop limit is similar to the TTL of IPv4.
Related Configuration
Run the ipv6 hop-limit command to configure the IPv6 hop limit of a device.
3.4 Configuration
3-18
Command Reference Configuring IPv6
Optional.
Configuring the Sending
ipv6 icmp error-interval Configures the sending rate of ICMPv6 Packet Too Big
Rate of ICMPv6 Error
too-big messages.
Messages
Configures the sending rates of other ICMPv6 error
ipv6 icmp error-interval
messages and ICMPv6 Redirect packets.
Configuring the IPv6 Hop (Optional) It is used to restrict the hop limit of IPv6 unicast packets sent on an interface.
Limit
ipv6 hop-limit Configures the IPv6 hop limit.
Configuration Steps
(Optional) If you do not want to enable IPv6 by configuring an IPv6 address, run the ipv6 enable command.
Mandatory.
Verification
Run the show ipv6 interface command to check whether the configured address takes effect.
3-19
Command Reference Configuring IPv6
Related Commands
3-20
Command Reference Configuring IPv6
Run the no ipv6 address ipv6-prefix/prefix-length eui-64 command to delete the configured address.
Configuration Example
Configuration Enable IPv6 on the GigabitEthernet 0/0 interface and add IPv6 address 2000::1 to the interface.
Steps
Verification Run the show ipv6 interface command to verify that an address is successfully added to the
GigabitEthernet 0/0 interface.
address(es):
XS-S1960-H series do not support the VRF parameter. The above example is for reference purpose.
Please take the actual device as standard.
3-21
Command Reference Configuring IPv6
Configure NDP-related attributes, for example, enable IPv6 redirection and DAD.
Notes
RA suppression is enabled on interfaces by default. To configure a device to send RA packets, run the no ipv6 nd
suppress-ra command in interface configuration mode.
Configuration Steps
Optional.
To prevent enabling DAD for IPv6 addresses on an interface or modify the number of consecutive NS packets sent
during DAD, run the ipv6 nd dad attempts command.
Optional.
To modify the reachable time of a neighbor, run the ipv6 nd reachable-time command.
Optional.
Optional.
If a large number of unresolved ND entries are generated due to scanning attacks, run the ipv6 nd unresolved
command to restrict the number of unresolved neighbors.
Optional.
If the number of IPv6 hosts is controllable, run the ipv6 nd cache interface-limit command to restrict the number of
neighbors learned on an interface. This prevents ND learning attacks from occupying the memory space and affecting
device performance.
3-22
Command Reference Configuring IPv6
Verification
show ipv6 interface interface-type interface-num: Check whether the configurations such as the redirection function,
reachable time of a neighbor, and NS sending interval take effect.
show ipv6 interface interface-type interface-num ra-inifo: Check whether the prefix and other information configured
for RA packets are correct.
show run
Related Commands
3-23
Command Reference Configuring IPv6
reachable time, the faster the device detects unreachable neighbors but the more it consumes network
bandwidth and device resources. Therefore, it is not recommended to set this time too small.
The configured value is advertised in an RA packet and is also used on the device. If the value is 0, the
reachable time is not specified on the device and it is recommended to use the default value.
3-24
Command Reference Configuring IPv6
Configuration Example
Verification Run the show ipv6 interface command to check whether the configuration takes effect.
address(es):
3-25
Command Reference Configuring IPv6
Verification Run the show ipv6 interface command to check whether the configuration takes effect.
Mac Address: 00:00:00:00:00:00
Configuration Configure the interface to send three consecutive NS packets during DAD.
Steps
Verification Run the show ipv6 interface command to check whether the configuration takes effect.
address(es):
3-26
Command Reference Configuring IPv6
Ruijie(config-if-GigabitEthernet 0/0)#
XS-S1960-H series do not support the VRF parameter. The above example is for reference purpose.
Please take the actual device as standard.
Verification Run the show ipv6 interface command to check whether the configuration takes effect.
RA timer is stopped
waits: 0, initcount: 0
ND advertised CurHopLimit is 64
3-27
Command Reference Configuring IPv6
Configuration Configure RA packets to obtain prefixes from the prefix pool "ra-pool".
Steps
Verification Run the show run command to check whether the configuration takes effect.
Building configuration...
ipv6 enable
no ipv6 nd suppress-ra
Disabling RA Suppression
Verification Run the show run command to check whether the configuration takes effect.
Building configuration...
ipv6 enable
no ipv6 nd suppress-ra
3-28
Command Reference Configuring IPv6
Verification Run the show run command to check whether the configuration takes effect.
Ruijie#show run
Verification Run the show run command to check whether the configuration takes effect.
Ruijie#show run
RFC 5095 abolished the Type 0 routing header. Ruijie devices do not support the Type 0 routing header by default. The
administrator can run the ipv6 source-route command to in global configuration mode to enable IPv6 source routing.
Configuration Steps
Optional.
Verification
The device can properly forward packets carrying the Type 0 routing header.
3-29
Command Reference Configuring IPv6
Related Commands
Configuration Example
Ruijie(config)#ipv6 source-route
Verification Run the show run command to check whether the configuration takes effect.
ipv6 source-route
Configuration Steps
Optional.
If a device receives many IPv6 packets with the packet length exceeding the IPv6 MTU of the outbound interface and
thereby sends many ICMPv6 Packet Too Big messages to consume much CPU resources, run the ipv6 icmp
error-interval too-big command to restrict the sending rate of this error message.
Optional.
If a device receives many illegal IPv6 packets and thereby generates many ICMPv6 error messages, run the ipv6 icmp
error-interval command to restrict the sending rate of ICMPv6 error messages. (This command does not affect the
sending rate of ICMPv6 Packet Too Big messages.)
3-30
Command Reference Configuring IPv6
Verification
Run the show running-config command to check whether the configuration takes effect.
Related Commands
3-31
Command Reference Configuring IPv6
Since the precision of the timer is 10 milliseconds, it is recommended to set the refresh period of a token
bucket to an integer multiple of 10 milliseconds. If the refresh period of the token bucket is between 0 and
10, the actual refresh period is 10 milliseconds. For example, if the sending rate is set to 1 every 5
milliseconds, two error messages are sent every 10 milliseconds in actual situations. If the refresh period of
the token bucket is not an integer multiple of 10 milliseconds, it is automatically converted to an integer
multiple of 10 milliseconds. For example, if the sending rate is set to 3 every 15 milliseconds, two tokens are
refreshed every 10 milliseconds in actual situations.
Configuration Example
Configuration Set the sending rate of the ICMPv6 Packet Too Big message to 100 pps and that of other ICMPv6 error
Steps messages to 10 pps.
Verification Run the show running-config command to check whether the configuration takes effect.
Configure the number of hops of a unicast packet to prevent the packet from being unlimitedly transmitted.
Configuration Steps
Optional.
To modify the number of hops of a unicast packet, run the ipv6 hop-limit value command.
Verification
Run the show running-config command to check whether the configuration is correct.
Capture the IPv6 unicast packets sent by a host. The packet capture result shows that the hop-limit field value in the
IPv6 header is the same as the configured hop limit.
Related Commands
3-32
Command Reference Configuring IPv6
Configuration Example
Verification Run the show running-config command to check whether the configuration takes effect.
Ruijie#show running-config
3.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears the dynamically learned clrear ipv6 neighbors [interface-id]
neighbors.
Displaying
Description Command
Displays IPv6 information of an
show ipv6 interface [[interface-id] [ra-info] ] [brief [interface-id]]
interface.
Displays neighbor information. show ipv6 neighbors [verbose] [interface-id] [ipv6-address] [static]
Debugging
System resources are occupied when debugging information is output. Therefore, disable the debugging switch
immediately after use.
Description Command
Debugs ND entry learning. debug ipv6 nd
3-33
Command Reference Configuring DHCP
4 Configuring DHCP
4.1 Overview
The Dynamic Host Configuration Protocol (DHCP) is a LAN protocol based on the User Datagram Protocol (UDP) for
dynamically assigning reusable network resources, for example, IP addresses.
The DHCP works in Client/Server mode. A DHCP client sends a request message to a DHCP server to obtain an IP address
and other configurations. When a DHCP client and a DHCP server are not in a same subnet, they need a DHCP relay to
forward DHCP request and reply packets.
4.2 Applications
Application Description
Providing DHCP Service in a LAN Assigns IP addresses to clients in a LAN.
Enabling DHCP Client Enable DHCP Client.
Deploying DHCP Relay in Wired In a wired network, users from different network segments requests IP addresses.
Network
For example, assign IP addresses to User 1, User 2, User 3 and User 4, as shown in the following figure.
4-1
Command Reference Configuring DHCP
Figure 4-1
Deployment
For example, enable DHCP Client on the interfaces of A, B, C and D to request IP addresses, as shown in the following
figure.
Figure 4-2
4-2
Command Reference Configuring DHCP
Deployment
As shown in the following figure, Switch C and Switch D are access devices for the users in VLAN 10 and VLAN 20
respectively. Switch B is a gateway, and Switch A a core device. The requirements are listed as follows:
Switch A works as a DHCP server to assign IP addresses of different network segments dynamically to users in different
VLANs.
Deployment
Configure layer-2 communication between Switch B and Switch C as well as between Switch B and Switch D.
On Switch A, create DHCP address pools for VLAN 10 and VLAN 20 respectively, and enable DHCP Server.
4-3
Command Reference Configuring DHCP
4.3 Features
Basic Concepts
DHCP Server
Based on the RFC 2131, Ruijie DHCP server assigns IP addresses to clients and manages these IP addresses.
DHCP Client
DHCP Client enables a device to automatically obtain an IP address and configurations from a DHCP server.
DHCP Relay
When a DHCP client and a DHCP server are not in a same subnet, they need a DHCP relay to forward DHCP request and
reply packets.
Lease
Lease is a period of time specified by a DHCP server for a client to use an assigned IP address. An IP address is active when
leased to a client. Before a lease expires, a client needs to renew the lease through a server. When a lease expires or is
deleted from a server, the lease becomes inactive.
Excluded Address
Address Pool
An address pool is a collection of IP addresses that a DHCP server may assign to clients.
Option Type
An option type is a parameter specified by a DHCP server when it provides lease service to a DHCP client. For example, a
public option include the IP addresses of a default gateway (router), WINS server and a DNS server. DHCP server allows
configuration of other options. Though most options are defined in the RFC 2132, you can add user-defined options.
Overview
Feature Description
DHCP Server Enable DHCP Server on a device, and it may assign IP addresses dynamically and pushes
configurations to DHCP clients.
DHCP Relay Agent Enable DHCP Relay on a device, and it may forward DHCP request and reply packets across
different network segments.
DHCP Client Enable DHCP Client on a device, and it may obtain IP addresses and configurations
automatically from a DHCP server.
4-4
Command Reference Configuring DHCP
Figure 4-4
2. DHCP servers unicast/broadcast (based on the property of the host packet) DHCP offer packets to the host, containing
an IP address, a MAC address, a domain name and a lease.
4. A DHCP server sends a DHCP ACK unitcast packet to the host to acknowledge the request.
A DHCP client may receive DHCPOFFER packets from multiple DHCP servers, but usually it accepts only the first
DHCPOFFER packet. Besides, the address specified in a DHCPOFFER packet is not necessarily assigned. Instead, it
is retained by the DHCP server until a client sends a formal request.
To formally request an IP address, a client broadcasts a DHCPREQUEST packet so that all DHCP servers sending
DHCPOFFER packets may receive the packet and release OFFER IP addresses.
If a DHCPOFFER packet contains invalid configuration parameters, a client will send a DHCPDECLINE packet to the server
to decline the configuration.
During the negotiation, if a client does not respond to the DHCPOFFER packets in time, servers will send DHCPNAK packets
to the client and the client will reinitiate the process.
During network construction, Ruijie DHCP servers have the following features:
Low cost. Usually the static IP address configuration costs more than DHCP configuration.
Centralized management. You can modify the configuration for multiple subnets by simply modifying the DHCP server
configuration.
Address Pool
4-5
Command Reference Configuring DHCP
After a server receives a client's request packet, it chooses a valid address pool, determines an available IP address from the
pool through PING, and pushes the pool and address configuration to the client. The lease information is saved locally for
validity check upon lease renewal.
A lease period notifying clients of when to age an address and request a lease renewal.
VRRP Monitoring
In a Virtual Router Redundancy Protocol (VRRP) scenario, Ruijie devices enabled with DHCP provide a command to monitor
the VRRP status of the interface. To an interface configured with VRRP address and VRRP monitoring, a DHCP server only
processes the DHCP clients' request packets from the interface in Master state, and other packets are discarded. If no VRRP
address is configured, the DHCP server does not monitor the VRRP status, and all DHCP packets are processed. VRRP
monitoring is configured on only layer-3 interfaces. It is disabled by default, namely, only the Master device processes the
DHCP service.
Ruijie devices enabled with DHCP provide a command to enable ARP-based offline detection. After this function is enabled,
a DHCP server will receive an ARP aging notification when a client gets offline, and start retrieving the client's address. If the
client does not get online within a period of time (5 minutes by default), the DHCP server will retrieve the address and assign
it to another client. If the client gets online again, the address is still valid.
If a DHCP server is deployed illegally, a client interacts with this server while requesting an IP address and a wrong address
will be assigned to the client. This server is a pseudo server. Ruijie devices enabled with DHCP provides a command to
enable pseudo server detection. After it is enabled, DHCP packets are checked for Option 54 (Server Identifier Option). If the
content of Option 54 is different from the actual DHCP server identifier, the IP address of the pseudo server and port
receiving the packets will be recorded. The pseudo server detection is only an after-event security function and cannot
prevent an illegal DHCP server from assigning IP addresses to clients.
Related Configuration
4-6
Command Reference Configuring DHCP
Run the ip dhcp pool command to configure an IP address range, a gateway and a DNS.
The destination IP address of DHCP request packets is 255.255.255.255, and these packets are forwarded within a subnet.
To achieve IP address assignment across network segments, a DHCP relay agent is needed. The DHCP relay agent
unicasts DHCP request packets to a DHCP server and forwards DHCP reply packets to a DCHP client. The DHCP relay
agent serves as a repeater connecting a DHCP client and a DHCP server of different network segments by forwarding DHCP
request packets and DHCP reply packets. The Client-Relay-Server mode achieves management of IP addresses across
multiple network segments by only one DHCP server. See the following figure.
VLAN 10 and VLAN 20 correspond to the segments 10.0.0.1/16 and 20.0.0.1/16 respectively. A DHCP server with IP
address 30.0.0.2 is in segment 30.0.0.1/16. To achieve management of dynamic IP addresses in VLAN 10 and VLAN 20 by
the DHCP server, you only need to enable DHCP Relay on a gateway and configure IP address 30.0.0.2 for the DHCP
server.
As defined in RFC3046, an option can be added to indicate a DHCP client's network information when DHCP Relay is
performed, so that a DHCP server may assign IP addresses of various privileges based on more accurate information. The
option is called Option 82. Currently, Ruijie devices support four schemes of relay agent information, which are described
respectively as follows:
Relay agent information option dot1x: This scheme should be implemented with 802.1X authentication and the
RG-SAM products. Specifically, RG-SAM products push the IP privilege during 802.1X authentication. A DHCP relay
agent forms a Circuit ID sub-option based on the IP privilege and the VLAN ID of a DHCP client. The option format is
shown in the following figure.
4-7
Command Reference Configuring DHCP
Relay agent information option82: This scheme serves without correlation with other protocol modules. A DHCP relay
agent forms an Option 82 based on the physical port receiving DHCP request packets and the MAC address of the
device. The option format is shown in the following figure.
Relay agent information option82: This scheme serves without correlation with other protocol modules. Compared with
previous Option 82, this option supports user-defined content, which may change. By default, a DHCP relay agent
forms Option 82 according to the information of the physical port receiving DHCP packets, device MAC address and
device name. The option format is shown in the following figure.
In DHCP environment, multiple DHCP servers are deployed for a network, achieving server backup to ensure uninterrupted
network operation. After this function is enabled, the DHCP request packet sent by a client contains a server-id option
specifying a DHCP server. In alleviating the burden on servers in specific environments, you need to enable this function on
a relay agent to send a packet to a specified DHCP server rather than all DHCP servers.
4-8
Command Reference Configuring DHCP
After you configure the ip dhcp relay suppression command on an interface, DHCP request packets received on the
interface will be filtered, and the other DHCP request packets will be forwarded.
Related Configuration
You may run the service dhcp command to enable DHCP Relay.
You may run the ip helper-address command to configure an IP address for a DHCP server. The IP address can be
configured globally or on a layer-3 interface. A maximum of 20 IP addresses can be configured for a DHCP server.
When an interface receives a DHCP request packet, the DHCP server configuration on the interface prevails over that
configured globally. If the interface is not configured with DHCP server addresses, the global configuration takes effect.
You may run the ip dhcp relay information option82 command to enable DHCP Option 82.
You may run the ip dhcp relay check server-id command to enable DHCP Relay check server-id.
You may run the ip dhcp relay suppression command to enable it on an interface.
A DHCP client broadcasts a DHCP discover packet after entering the Init state. Then it may receive multiple DHCP offer
packets. It chooses one of them and responds to the corresponding DHCP server. After that, it sends lease renewal request
packets in the Renew and Rebind processes of an aging period to request lease renewal.
Related Configuration
4-9
Command Reference Configuring DHCP
In interface configuration mode, you may run the ip address dhcp command to enable DHCP Client.
The configuration takes effect on a layer-3 interface, for example, an SVI or a routed port.
4.4 Configuration
Configuring Global Properties of DHCP (Optional) It is used to configure the properties of a DHCP server.
4-10
Command Reference Configuring DHCP
4-11
Command Reference Configuring DHCP
Provide all DHCP clients with DHCP service including assigning IP addresses and gateways.
Notes
A DHCP server and a DHCP relay share the service dhcp command, but a device cannot function as a DHCP server and
relay at the same time. When a device is configured with a valid address pool, it acts as a server and forwards packets.
Otherwise, it serves as a relay agent.
Configuration Steps
4-12
Command Reference Configuring DHCP
Configuring DNS
Optional. It is used to manage the number of leases. When a threshold (90% by default) is reached, an alarm will be
printed.
Verification
Related Commands
4-13
Command Reference Configuring DHCP
4-14
Command Reference Configuring DHCP
minutes: (Optional) Defines a lease in the unit of minute. Please define days and hours before minutes.
infinite: Defines an unlimited lease.
Command DHCP address pool configuration mode
Mode
Usage Guide The default lease of an IP address assigned by a DHCP server is 1 day. When a lease is expiring soon, a
client needs to request a lease renewal. Otherwise the IP address cannot be used after the lease is expired.
Configuring DNS
4-15
Command Reference Configuring DHCP
Mode
Usage Guide WINS is a domain name service through which a Microsoft TCP/IP network resolves a NetNBIOS name to
an IP address. A WINS server is a Windows NT server. When a WINS server starts, it receives a registration
request from a WINS client. When the client shuts down, it sends a name release message, so that the
computers in the WINS database and on the network are consistent.
4-16
Command Reference Configuring DHCP
Configuration Example
Ruijie(dhcp-config)# lease 1
lease 1
Notes
N/A
4-17
Command Reference Configuring DHCP
Configuration Steps
Configuring Address Pool Name and Entering Address Pool Configuration Mode
Verification
Related Commands
4-18
Command Reference Configuring DHCP
Configuration Example
Configuration Configure address pool VLAN 1 with IP address 20.1.1.0 and subnet mask 255.255.255.0.
Steps The default gateway is 20.1.1.1.
The lease time is 1 day.
Ruijie(dhcp-config)# lease 1 0 0
default-router 20.1.1.1
lease 1 0 0
Manual Binding
Configuration The host address is 172.16.1.101 and the subnet mask is 255.255.255.0.
4-19
Command Reference Configuring DHCP
client-name Billy
default-router 172.16.1.254
Enable a server with specific functions, for example, ping and compulsory NAK.
Notes
Configuration Steps
Optional. After configuration, DHCP packets are processed by the Master server.
4-20
Command Reference Configuring DHCP
Optional. Check the address reachability with the ping command. The default is 2.
Optional. Check the address reachability with the ping command. The default is 500 ms.
Configure a DHCP server to detect whether the client is offline or not. If a client does not get online after being offline for
a period, the address assigned to the client will be retrieved.
Verification
Run the dhcp-server command, and check the configuration during address assignment.
Related Commands
4-21
Command Reference Configuring DHCP
client sends request packets continually before obtaining an IP address again after timeout. Consequently, it
takes a long to obtain an IP address. This also occurs when a DHCP server loses a lease after restart and a
client requests lease renewal. In this case, you may configure a command to force the DHCP server to reply
with a NAK packet even though it cannot find the lease record so that the client may obtain an IP address
rapidly. Please note that the command is disabled by default. To enable it, only one DHCP server can be
configured in a broadcast domain.
Configuration Example
Configuring Ping
4-22
Command Reference Configuring DHCP
Deploy dynamic IP management in Client–Relay–Server mode to achieve communication between a DHCP client and
a DHCP server, which are in different network segments.
Notes
To enable DHCP Relay, you need to configure IPv4 unicast routing in a network.
Configuration Steps
Mandatory.
Mandatory.
4-23
Command Reference Configuring DHCP
Verification
Related Commands
Configuration Example
Scenario
Figure 4-10
4-24
Command Reference Configuring DHCP
service dhcp
ip helper-address 172.2.2.1
4-25
Command Reference Configuring DHCP
Common Errors
Through a DHCP relay agent, a server may assign IP addresses of different privileges to the clients more accurately
based on the option information.
Notes
Configuration Steps
Mandatory.
You may run the ip dhcp relay information option82 command to enable or disable DHCP Option 82.
Verification
Related Commands
4-26
Command Reference Configuring DHCP
Configuration Example
Verification After login to the DHCP relay agent, run the show running-config command in privileged EXEC mode to
display DHCP Relay configuration.
Common Errors
After you configure the ip dhcp relay check server-id, a DHCP Relay agent will forward DHCP request packets only to
the server specified by the option server-id command. Otherwise, they are forwarded to all DHCP servers.
Notes
Configuration Steps
You may run the ip dhcp relay check server-id command to enable DHCP Relay check server-id.
Verification
Check whether a DHCP Relay agent sends DHCP request packets only to the server specified by the option server-id
command.
Related Commands
4-27
Command Reference Configuring DHCP
Description
Command Global configuration mode
Mode
Usage Guide N/A
Configuration Example
Verification After login to the DHCP relay agent, run the show running-config command in privileged EXEC mode to
display DHCP Relay configuration.
Ruijie#
Common Errors
After you configure the ip DHCP Relay suppression command on an interface, DHCP request packets received on the
interface will be filtered, and the other DHCP requests will be forwarded.
Notes
Configuration Steps
You may run the ip dhcp relay suppression command to enable DHCP Relay suppression.
Verification
Check whether the DHCP request packets received on the interface are filtered.
4-28
Command Reference Configuring DHCP
Related Commands
Configuration Example
Ruijie(config-if-GigabitEthernet 0/1)#end
Ruijie#
Verification After login to the DHCP relay agent, run the show running-config command in privileged EXEC mode to
display DHCP Relay configuration.
Common Errors
Enable DHCP Client on a device so that it obtains IP addresses and configurations dynamically.
Notes
Ruijie products support DHCP Client configuration on Ethernet, FR, PPP and HDLC interfaces.
4-29
Command Reference Configuring DHCP
Configuration Steps
Verification
Related Commands
Configuration Example
ip address dhcp
4.5 Monitoring
Clearing
Running the clear commands may lose vital information and interrupt services.
Description Command
Clears DHCP address binding. clear ip dhcp binding { address | *}
Clears DHCP address conflict. clear ip dhcp conflict { address | *}
4-30
Command Reference Configuring DHCP
Displaying
Description Command
Displays DHCP lease. show dhcp lease
Displays DHCP sockets. show ip dhcp socket
Displays assigned IP addresses. show ip dhcp binding
Displays created address pools. show ip dhcp pool
Displays statistics of DHCP Server. show ip dhcp server statistic
Displays statistics of DHCP Relay. show ip dhcp relay statistic
Displays conflicted addresses. show ip dhcp conflict
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs DHCP agent. debug ip dhcp server agent
Debugs DHCP hot backup. debug ip dhcp server ha
Debugs DHCP address pools. debug ip dhcp server pool
Debugs DHCP VRRP. debug ip dhcp server vrrp
Debugs all DHCP servers. debug ip dhcp server all
Debugs DHCP packets. debug ip dhcp client
Debugs DHCP Relay events. debug ip dhcp relay
4-31
Command Reference Configuring DHCPv6
5 Configuring DHCPv6
5.1 Overview
The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) is a protocol that allows a DHCP server to transfer
configurations (such as IPv6 addresses) to IPv6 nodes.
As compared with other IPv6 address allocation methods, such as manual configuration and stateless automatic address
configuration, DHCPv6 provides the address allocation, prefix delegation, and configuration parameter allocation.
DHCPv6 is a stateful protocol for automatically configuring addresses and flexibly adding and reusing network
addresses, which can record allocated addresses and enhance network manageability.
By using the prefix delegation of DHCPv6, uplink network devices can allocate address prefixes to downlink network
devices, which implements flexible station-level automatic configuration and flexible control of station address space.
The DHCPv6 configuration parameter allocation solves the problem that parameters cannot be obtained through a
stateless automatic address configuration protocol and allocates DNS server addresses and domain names to hosts.
DHCPv6 is a protocol based on the client/server model. A DHCPv6 client is used to obtain various configurations whereas a
DHCPv6 server is used to provide various configurations. If the DHCPv6 client and DHCPv6 server are not on the same
network link (the same network segment), they can interact with each other by using a DHCPv6 relay agent.
The DHCPv6 client usually discovers the DHCPv6 server by reserving multicast addresses within a link; therefore, the
DHCPv6 client and DHCPv6 server must be able to directly communicate with each other, that is, they must be deployed
within the same link. This may cause management inconvenience, economic waste (a DHCPv6 server is deployed for each
subnet) and upgrade inconvenience. The DHCPv6 relay agent function can solve these problems by enabling a DHCPv6
client to send packets to a DHCPv6 server on a different link. The DHCP relay agent is often deployed within the link where a
DHCPv6 client resides and is used to relay interaction packets between the DHCPv6 client and DHCPv6 server. The DHCP
relay agent is transparent to the DHCPv6 client.
Figure 5-1
5-1
Command Reference Configuring DHCPv6
RFC3633: IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) Version 6
RFC3646: DNS Configuration Options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
RFC5417: Control And Provisioning of Wireless Access Points (CAPWAP) Access Controller DHCP Option
5.2 Applications
Application Description
Requesting/Allocating A DHCPv6 client requests addresses from a DHCPv6 server. The DHCPv6 server allocates
Addresses and Configuration addresses and configuration parameters to the DHCPv6 client.
Parameters
Requesting/Allocating Prefixes The DHCPv6 client requests a prefix from the DHCPv6 server. The DHCPv6 server
allocates a prefix to the DHCPv6 client and then the DHCPv6 client configures IPv6
addresses by using this prefix.
Relay Service The DHCPv6 relay is used to enable communication between the DHCPv6 client and
DHCPv6 server on different links.
In a subnet, a DHCPv6 client requests addresses from a DHCPv6 server. The DHCPv6 server allocates addresses and
configuration parameters to the DHCPv6 client.
The DHCPv6 server is configured with IPv6 addresses, DNS servers, domain names and other configuration
parameters to be allocated.
A host works as a DHCPv6 client to request an IPv6 address from the DHCPv6 server. After receiving the request, the
DHCPv6 server selects an available address and allocates the address to the host.
The host can also request a DNS server, domain name and other configuration parameters from the DHCPv6 server.
Figure 5-2
5-2
Command Reference Configuring DHCPv6
Deployment
Run the DHCPv6 client on a host in the subnet to obtain an IPv6 address and other parameters.
Run the DHCPv6 server on a device and configure the IPv6 address and other parameters to allocate the IPv6 address
and parameters.
As shown in Figure 5-3, an uplink device (PE) allocates an IPv6 address prefix for a downlink device (CPE). The CPE
generates a new address prefix for the internal subnet based on the obtained prefix. Hosts in the internal subnet of the CPE
are configured with addresses through Router Advertisement (RA) by using the new address prefix.
The CPE requests an address prefix from the PE as a DHCPv6 client. After obtaining the address prefix, the CPE
generates a new address prefix for the internal subnet and sends an RA message to hosts in the internal subnet.
The hosts in the internal subnet where CPE resides configure their addresses based on the RA message sent by the
CPE.
Figure 5-3
Remarks The Provider Edge (PE) works as a DHCPv6 server for providing prefixes and is also called a delegating router.
The Customer Premises Equipment (CPE) works as a DHCPv6 client for requesting prefixes and is also called a
requesting router.
A, B and C are various hosts.
Deployment
Run the DHCPv6 server on the PE to implement the prefix delegation service.
Deploy IPv6 ND between the CPE and the hosts to configure the host addresses in the subnet through RA.
5-3
Command Reference Configuring DHCPv6
The DHCPv6 relay agent provides the relay service for the DHCPv6 client ad DHCPv6 server on different links to enable
communication between them.
Device 1 is enabled with the DHCPv6 relay agent and destined to 3001::2.
Device 2 wants to forward packets to other servers through a next-level relay service. Enable the DHCPv6 relay agent
on Device 2, set the destination address to FF02::1:2 (all servers and Relay multicast addresses) and specify the
egress interface as the layer-3 interface gi 0/1.
Figure 5-4
Deployment
Enable the DHCPv6 relay agent on device 1 and specify the address as 3000::1.
Enable the DHCPv6 relay agent on device 2 and specify the address as FF02::1:2.
5.3 Features
Basic Concept
DUID
The DHCP Unique Identifier (DUID) identifies a DHCPv6 device. As defined in RFC3315, each DHCPv6 device (DHCPv6
client, relay or server) must have a DUID, which is used for mutual authentication during DHCPv6 message exchange.
5-4
Command Reference Configuring DHCPv6
The values of DUID-LL, Hardware type, and Link-layer address are 0x0003, 0x0001 (indicating the Ethernet), and MAC
address of a device respectively.
A DHCPv6 server allocates IAs to DHCPv6 clients. Each IA is uniquely identified by an identity association identifier (IAID).
IAIDs are generated by DHCPv6 clients. A one-to-one mapping is established between IAs and clients. An IA may contain
several addresses, which can be allocated by the client to other interfaces. An IA may contain one of the following types of
addresses:
Based on the address type, IAs are classified into IA_NA, IA_TA, and IA_PD (three IA-Types). Ruijie DHCPv6 servers
support only IA_NA and IA_PD.
Binding
A DHCPv6 binding is a manageable address information structure. The address binding data on a DHCPv6 server records
the IA and other configurations of every client. A client can request multiple bindings. The address binding data on a server is
present in the form of an address binding table with DUID, IA-Type and IAID as the indexes. A binding containing
configurations uses DUID as the index.
DHCPv6 Conflict
When an address allocated by a DHCPv6 client is in conflict, the client sends a Decline packet to notify the DHCPv6 server
that the address is rebound. Then, the server adds the address to the address conflict queue. The server will not allocate the
addresses in the address conflict queue. The server supports viewing and clearing of address information in the address
conflict queue.
Packet Type
5-5
Command Reference Configuring DHCPv6
RFC3315 stipulates that DHCPv6 uses UDP ports 546 and 547 for packet exchange. Specifically, a DHCPv6 client uses port
546 for receiving packets, while a DHCPv6 server and DHCPv6 relay agent use port 547 for receiving packets. RFC3315
defines the following types of packets that can be exchanged among the DHCPv6 server, client, and relay agent:
Packets that may be sent by a DHCPv6 client to a DHCPv6 server include Solicit, Request, Confirm, Renew, Rebind,
Release, Decline, and Information-request.
Packets that may be sent by a DHCPv6 server to a DHCPv6 client include Advertise, Reply, and Reconfigure.
Packets that may be sent by a DHCPv6 relay agent to another DHCPv6 relay agent or a DHCPv6 server include
Relay-forward.
Packets that may be sent by a DHCPv6 relay agent to another DHCPv6 relay agent or a DHCPv6 server include
Relay-reply.
Ruijie DHCPv6 clients do not support the Confirm and Reconfigure packets.
Overview
Feature Description
Requesting/Allocating Dynamically obtains/allocates IPv6 addresses in a network in the client/server mode.
Addresses
Requesting/Allocating Prefixes Dynamically obtains/allocates IPv6 prefixes in a network in the client/server mode.
Stateless Service Provides stateless configuration service for hosts in a network.
Relay Service Provides the DHCPv6 server service for hosts in different networks by using the relay
service.
After being configured with available addresses, a DHCPv6 server can provide IPv6 addresses to hosts in the network,
record the allocated addresses and improve the network manageability.
Working Principle
Network hosts serve as DHCPv6 clients and DHCPv6 servers to implement address allocation, update, confirmation, release
and other operations through message exchange.
Four-Message Exchange
Figure 5-5
5-6
Command Reference Configuring DHCPv6
A DHCPv6 client sends a Solicit message whose destination address is FF02::1:2 and destination port number is 547
within the local link to request address, prefix and configuration parameter allocation. All DHCPv6 servers or DHCPv6
relay agents within the link will receive the Solicit message.
After receiving the Solicit message, a DHCPv6 server will send an Advertise message in the unicast mode if it can
provide the information requested in the Solicit message. The Advertise message includes the address, prefix and
configuration parameters.
The DHCPv6 client may receive the Advertise message from multiple DHCPv6 servers. After selecting the most
suitable DHCPv6 server, the DHCPv6 client sends a Request message whose destination address is FF02::1:2 and
destination port number is 547 to request address, prefix and configuration parameter allocation.
After receiving the Request message, the DHCPv6 server creates a binding locally and sends a Reply message in the
unicast mode. The Reply message includes the address, prefix and configuration parameters that the DHCPv6 server
will allocate to the DHCPv6 client. The DHCPv6 client obtains address, prefix or configuration parameters based on the
information in the Reply message.
Two-Message Exchange
Two-message exchange can be used to complete address, prefix and parameter configuration for DHCPv6 clients more
quickly.
Figure 5-6
A DHCPv6 client sends a Solicit message whose destination address is FF02::1:2 and destination port number is 547
within the local link to request address, prefix and configuration parameter allocation. The Solicit message contains
Rapid Commit.
If a DHCPv6 server supports the Rapid Commit option, the DHCPv6 server creates a binding locally and sends a Reply
message in the unicast mode. The Reply message includes the address, prefix and configuration parameters to be
5-7
Command Reference Configuring DHCPv6
allocated to the DHCPv6 client. The DHCPv6 client completes configuration based on the information in the Reply
message.
The DHCPv6 server provides the control address and the updated T1 and T2 in the IA of the message sent to the DHCPv6
client.
Figure 5-7
The DHCPv6 client will send a Renew multicast message to the DHCPv6 server for updating the address and prefix
after T1 seconds. The Renew message contains the DUID of the DHCPv6 server and the IA information to be updated.
After receiving the Renew message, the DHCPv6 server checks whether the DUID value in the Renew message is
equal to the DUID value of the local device. If yes, the DHCPv6 server updates the local binding and sends a Reply
message in the unicast mode. The Reply message contains the new T1 and other parameter s.
Figure 5-8
If no response is received after the DHCPv6 client sends a Renew message to the DHCPv6 server, the DHCPv6 client
will send a Rebind multicast message to the DHCPv6 server for rebinding the address and prefix after T2 expires.
After receiving the Rebind message, the DHCPv6 server (perhaps a new DHCPv6 server) sends a Reply message
according to the content of the Rebind message.
Release
5-8
Command Reference Configuring DHCPv6
If a DHCPv6 client needs to release an address or a prefix, the DHCPv6 client needs to send a Release message to a
DHCPv6 server to notify the DHCPv6 server of the released addresses or prefixes. In this way, the DHCPv6 server can
allocate these addresses and prefixes to other DHCPv6 clients.
Figure 5-9
After receiving the Release message, the DHCPv6 server removes the corresponding bindings based on the addresses
or prefixes in the Release message, and sends a Reply message carrying the state option to the DHCPv6 client.
Confirmation
After moving to a new link (for example, after restart), a DHCPv6 client will send a Confirm message to the DHCPv6 server
on the new link to check whether the original addresses are still available.
Figure 5-10
After receiving the Confirm message, the DHCPv6 server performs confirmation based on the address information in
the Confirm message, and sends a Reply message carrying the state option to the DHCPv6 client. If the confirmation
fails, the DHCPv6 client may initiate a new address allocation request.
DHCPv6 Conflict
If the DHCPv6 client finds that the allocated addresses have been used on the link after address allocation is completed, the
DHCPv6 client sends a Decline message to notify the DHCPv6 server of the address conflict.
Figure 5-11
5-9
Command Reference Configuring DHCPv6
The DHCPv6 client includes the IA information of the conflicted addresses in the Decline message.
After receiving the Decline message, the DHCPv6 server marks the addresses in the Decline message as "declined"
and will not allocate these addresses. Then, the DHCPv6 server sends a Reply message carrying the state option to the
DHCPv6 client. You can manually clear addresses marked as "declined" to facilitate re-allocation.
Related Configuration
By default, an interface is not enabled with the DHCPv6 client address request function.
You can run the ipv6 dhcp client ia command to enable the DHCPv6 client address request function for the interface.
The DHCPv6 client address request function is effective only on a layer-3 interface.
Working Principle
Downlink network devices serve as DHCPv6 clients to exchange messages with the DHCPv6 server to implement address
allocation, update, release and other operations. Downlink network devices obtain, update, rebind and release prefixes by
using the four-/two-message exchange mechanism similar to that for allocating addresses. However, prefix allocation is
different from address allocation in the following aspects:
In message exchange using the prefix delegation, the Confirm and Decline messages are not used.
If a DHCPv6 client moves to a new link and needs to check whether the prefix information is available, it performs
confirmation through Rebind and Reply message exchange.
For the message exchange using the prefix delegation, refer to the section "Requesting/Allocating Addresses".
Related Configuration
By default, an interface is not enabled with the DHCPv6 client prefix request function.
5-10
Command Reference Configuring DHCPv6
You can run the ipv6 dhcp client pd command to enable or disable the DHCPv6 client prefix request function for the
interface.
The DHCPv6 client prefix request function is effective only on a layer-3 interface.
Working Principle
Network hosts serve as DHCPv6 clients to exchange messages with the DHCPv6 server to obtain and update configuration
parameters.
Figure 5-12
A DHCPv6 client sends an Information-request message to a DHCPv6 server to request stateless messages. Usually,
this message does not contain the DUID of the specified DHCPv6 server.
The DHCPv6 server sends a Reply message containing the configuration parameters to the DHCPv6 client.
Related Configuration
By default, an interface is not enabled with the stateless service of the DHCPv6 client.
If a host receives an RA message containing the O flag, it will enable the stateless service.
5-11
Command Reference Configuring DHCPv6
Working Principle
When receiving a message from the DHCPv6 client, the DHCPv6 relay agent creates a Relay-forward message. This
message contains the original message from the DHCPv6 client and some options added by the relay agent. Then, the relay
agent sends the Relay-forward message to a specified DHCPv6 server or a specified multicast address FF05::1:3.
After receiving the Relay-forward message, the DHCPv6 server extracts the original message from the DHCPv6 client f for
processing. Then, the DHCPv6 server constructs a response to the original message, encapsulates the response in a
Relay-reply message, and then sends the Relay-reply message to the DHCPv6 relay agent.
After receiving the Relay-reply message, the DHCPv6 relay agent extracts the original message from the DHCPv6 server for
processing, and forwards the message to the DHCPv6 client.
Multi-level relay agents are allowed between the DHCPv6 client and DHCPv6 server.
Figure 5-13
The DHCPv6 relay agent performs message encapsulation and decapsulation between the DHCPv6 client and
DHCPv6 server to enable communication between the DHCPv6 client and DHCPv6 server on different links.
5.4 Configuration
Configuring the DHCPv6 (Mandatory) It is used to enable the DHCPv6 relay agent service.
Relay
ipv6 dhcp relay destination Configures the DHCPv6 relay agent function.
5-12
Command Reference Configuring DHCPv6
A DHCPv6 relay agent can be configured for address allocation, prefix delegation and parameter allocation to enable
communication between the DHCPv6 client and server on different links.
Notes
A destination address must be specified. If the destination address is a multicast address (such as FF05::1:3), you also
need to specify an egress interface.
Configuration Steps
Mandatory.
Unless otherwise specified, you should configure the DHCPv6 relay agent function on all devices that need to provide
the DHCPv6 relay agent service.
Verification
The DHCPv6 client and DHCPv6 server exchange messages through the relay agent.
Check whether the DHCPv6 relay agent can receive and send messages.
Related Commands
5-13
Command Reference Configuring DHCPv6
Configuration Example
Configuration Specify an interface enabled with the relay service to forward received DHCPv6 client packets to a specified
Steps destination address through the specified interface (optional).
Ruijie#configure terminal
Ruijie(config)#interface vlan 1
Verification Run the show ipv6 dhcp relay destination all command to display the configured destination addresses.
Interface:VLAN 1
3001::2
ff02::1:2 VLAN 2
Common Errors
The configuration is performed on other interfaces than the Switch Virtual Interface (SVI), routed port and L3 AP port.
Enable a device to automatically request IPv6 addresses or related parameters from a server.
Notes
Configuration Steps
Mandatory.
Unless otherwise specified, you should enable the DHCPv6 client address request function on all devices that need to
request addresses.
Mandatory.
5-14
Command Reference Configuring DHCPv6
Unless otherwise specified, you should enable the DHCPv6 client prefix request function on all devices that need to
request prefixes.
Verification
Check whether the interface is enabled with the DHCPv6 client and check the addresses, prefixes and other configuration
obtained on the interface.
Related Commands
5-15
Command Reference Configuring DHCPv6
Parameter -
Description
Command Interface configuration mode
Mode
Usage Guide Configure this command on a host that sends the RA message. Then, the host that receives the RA
message obtains stateless configurations through the DHCPv6 client.
Configuration Example
Verification Run the show ipv6 dhcp interface command to display whether the interface is enabled with the
DHCPv6 client.
Rapid-Commit: disable
Verification Run the show ipv6 dhcp interface command to display whether the interface is enabled with the
DHCPv6 client.
Rapid-Commit: disable
5-16
Command Reference Configuring DHCPv6
Verification Run the show ipv6 dhcp interface command to display whether an interface of the host obtains
configuration parameters.
Rapid-Commit: disable
Common Errors
The DHCPv6 address request is enabled on interfaces enabled with the DHCPv6 relay or DHCPV6 server.
The DHCPv6 prefix request is enabled on interfaces enabled with the DHCPv6 relay or DHCPV6 server.
5.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears the statistics on sent and clear ipv6 dhcp relay statistics
received packets after the DHCPv6
relay is enabled on the current
device.
Restarts the DHCPv6 client. clear ipv6 dhcp client interface-type interface-number
Displaying
Description Command
Displays the DUID of a device. show ipv6 dhcp
Displays DHCPv6 interface. show ipv6 dhcp interface [ interface-name ]
Displays the destination address of show ipv6 dhcp relay destination { all | interface-type interface-number }
the DHCPv6 relay agent.
5-17
Command Reference Configuring DHCPv6
Displays the statistics on sent and show ipv6 dhcp relay statistics
received packets after the DHCPv6
relay is enabled on a device.
Displays the local IPv6 prefix pool. show ipv6 local pool [ poolname ]
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs DHCPv6. debug ipv6 dhcp [ detail ]
5-18
Command Reference Configuring DNS
6 Configuring DNS
6.1 Overview
A Domain Name System (DNS) is a distributed database containing mappings between domain names and IP addresses on
the Internet, which facilitate users to access the Internet without remembering IP strings that can be directly accessed by
computers. The process of obtaining an IP address through the corresponding host name is called domain name resolution
(or host name resolution).
6.2 Applications
Application Description
Static Domain Name Resolution Performs domain name resolution directly based on the mapping between a domain
name and an IP address on a device.
Dynamic Domain Name Resolution Obtains the IP address mapped to a domain name dynamically from a DNS server on
the network.
When you perform domain name operations (such as Ping and Telnet) through application programs, the system can
resolve the IP address without being connected to a server on the network.
Deployment
DNS Server is deployed on the network to provide the domain name service.
6-1
Command Reference Configuring DNS
Deployment
6.3 Features
Basic Concepts
DNS
The DNS consists of a resolver and a DNS server. The DNS server stores the mappings between domain names and IP
addresses of all hosts on the network, and implements mutual conversion between the domain names and IP addresses.
Both the TCP and UDP port IDs of DNS are 53, and generally a UDP port is used.
Features
Feature Description
Domain Name Resolution IP addresses are obtained based on domain names from a DNS server or a local
database.
Static domain name resolution means that a user presets the mapping between a domain name and an IP address on a
device. When you perform domain name operations (such as Ping and Telnet) through application programs, the system can
resolve the IP address without being connected to a server on the network.
Dynamic domain name resolution means that when a user perform domain name operations through application programs,
the DNS resolver of the system queries an external DNS server for the IP address mapped to the domain name.
6-2
Command Reference Configuring DNS
1. A user application program (such as Ping or Telnet) requests the IP address mapped to a domain name from the DNS
resolver of the system.
2. The DNS resolver queries the dynamic cache at first. If the domain name on the dynamic cache does not expire, the
DNS resolver returns the domain name to the application program.
3. If all domain names expire, the DNS resolver initiates a request for domain name-IP address conversion to the external
DNS server.
4. After receiving a response from the DNS server, the DNS resolver caches and transfers the response to the application
program.
Related Configuration
Run the ip host command to specify the IPv4 address mapped to a domain name.
Run the ipv6 host command to specify the IPv6 address mapped to a domain name.
6.4 Configuration
Optional.
Optional.
Configuring Dynamic Domain
Name Resolution ip domain-lookup Enables domain name resolution.
ip name-server Configures a DNS server.
6-3
Command Reference Configuring DNS
The system resolver resolves the IP address mapped to a domain name on a local device.
Configuration Steps
If this function is disabled, static domain name resolution does not take effect.
Verification
Run the show hosts command to check the mapping between the domain name and the IP address.
Related Commands
Configuration Example
Configuration Set the IP address of static domain name www.test.com to 192.168.1.1 on a device.
Steps Set the IP address of static domain name www.testv6.com to 2001::1 on a device.
6-4
Command Reference Configuring DNS
Ruijie#configure terminal
Ruijie(config)# exit
Verification Run the show hosts command to check whether the static domain name entry is configured.
Ruijie#show hosts
The system resolver resolves the IP address mapped to a domain name through a DNS server.
Configuration Steps
If this function is disabled, dynamic domain name resolution does not take effect.
(Mandatory) To use dynamic domain name resolution, you must configure an external DNS server.
Verification
Related Commands
6-5
Command Reference Configuring DNS
Configuration Example
Scenario
Figure 6-2
Device resolves the domain name through the DNS server (192.168.10.1) on the network.
Configuration Set the IP address of the DNS server to 192.168.10.1 on the device.
Steps
DEVICE#configure terminal
DEVICE(config)# exit
Verification Run the show hosts command to check whether the DNS server is specified.
Ruijie(config)#show hosts
192.168.10.1 static
6.5 Monitoring
Clearing
Running the clear command during device operation may cause data loss or even interrupt services.
Description Command
Clears the dynamic host name cache clear host [ host-name ]
table.
Displaying
Description Command
Displays DNS parameters. show hosts [ host-name ]
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
6-6
Command Reference Configuring DNS
Description Command
Debugs the DNS function. debug ip dns
6-7
Command Reference Configuring FTP Server
7.1 Overview
The File Transfer Protocol (FTP) server function enables a device to serve as an FTP server. In this way, a user can connect
an FTP client to the FTP server and upload files to and download files from the FTP server through FTP.
A user can use the FTP server function to easily obtain files such as syslog files from a device and copy files to the file
system of the device through FTP.
7.2 Applications
Application Description
Providing FTP Services in a LAN Provides the uploading and downloading services for a user in a Local Area Network
(LAN).
As shown in Figure 7-1, enable the FTP server function only in a LAN.
G and S are enabled with the FTP server function and layer-2 transparent transmission function respectively.
Figure 7-1
7-1
Command Reference Configuring FTP Server
Deployment
7.3 Features
Basic Concepts
FTP
FTP is a standard protocol defined by the IETF Network Working Group. It implements file transfer based on the
Transmission Control Protocol (TCP). FTP enables a user to transfer files between two networked computers and is the most
important approach to transferring files on the Internet. A user can obtain abundant Internet for free through anonymous FTP.
In addition, FTP provides functions such as login, directory query, file operation, and other session control. Among the
TCP/IP protocol family, FTP is an application-layer protocol and uses TCP ports 20 and 21 for transmission. Port 20 is used
to transmit data and port 21 is used to transmit control messages. Basic operations of FTP are described in RFC959.
User Authorization
To connect an FTP client to an FTP server, you should have an account authorized by the FTP server. That is, a user can
enjoy services provided by the FTP server after logging in to the FTP server with a user name and password. A maximum of
10 accounts can be configured, a maximum of 2 connections are allowed for each account, and a maximum of 10
connections are supported by the server.
Text transmission mode (ASCII mode): It is used to transfer text files (such as .txt, .bat, and .cfg files). This mode is
different from the binary mode in carriage return and line feed processing. In ASCII mode, carriage return and line feed
are changed to local CRC characters, for example, \n in Unix, \r\n in Windows, and \r in Mac. Assume that a file being
copied contains ASCII text. If a remote computer does not run Unix, FTP automatically converts the file format to suit
the remote computer.
Binary transmission mode: It is used to transfer program files (for example, .app, .bin and .btm files), including
executable files, compressed files and image files without processing data. Therefore, Binary mode facilitates faster
transfer of all files and more reliable transfer of ASCII files.
7-2
Command Reference Configuring FTP Server
Figure 7-2
Figure 7-3
Figure 7-2 shows the active (PORT) mode. The FTP client uses port 1026 to connect to the FTP server through port 21.
The client sends commands through this channel. Before receiving data, the client sends the PORT command on this
channel. The PORT command contains information on the channel port (1027) of the client for receiving data. The
server uses port 20 to connect to the client through port 1027 for establishing a data channel to receive and transmit
data. The FTP server must establish a new connection with the client for data transmission.
Figure 7-3 shows the passive (PASV) mode. The process for establishing a control channel is similar to that in the
PORT mode. However, after the connection is established, the client sends the PASV command rather than the PORT
command. After receiving the PASV command, the FTP server enables a high-end port (2024) at random and notifies
the client that data will be transmitted on this port. The client uses port 1027 to connect the FTP server through port
2024. Then, the client and server can transmit and receive data on this channel. In this case, the FTP server does not
need to establish a new connection with the client.
After receiving an FTP connection request, the FTP server requires the client to provide the user name and password for
authentication.
7-3
Command Reference Configuring FTP Server
If the client passes the authentication, the FTP client commands can be executed for operations. The available FTP client
commands are listed as follows:
close ls pwd
For usage of these FTP client commands, please refer to your FTP client software document. In addition, many FTP client
tools (such as CuteFTP and FlashFXP) provide the graphic user interface. These tools facilitate operations by freeing users
from configuring FTP commands.
Overview
Feature Description
Enabling the FTP Provides the functions of uploading, downloading, displaying, creating and deleting files for an FTP
Server Function client.
The basic working principle is described in the previous chapter. Ruijie devices provide FTP services after the user name,
password, and top-level directory are configured.
Related Configuration
Run the ftp-server enable command to enable the FTP server function.
You must enable the FTP server function globally before using it.
Run the ftp-server usernamepassword and ftp-server topdir commands to set an authorized user and top-level directory.
The three configurations above are mandatory; otherwise, the FTP server function cannot be enabled.
7-4
Command Reference Configuring FTP Server
7.4 Configuration
Optional.
Notes
To enable the server to close an abnormal session within a limited period, you need to configure the idle timeout of a
session.
Configuration Steps
Mandatory.
Unless otherwise noted, enable the FTP server function on every router.
Mandatory.
Unless otherwise noted, configure the top-level directory as the root directory on every router.
Mandatory.
7-5
Command Reference Configuring FTP Server
Optional.
When the client is disconnected from the server due to an error or other abnormal causes, the FTP server may not
know that the user is disconnected and continues to keep the connection. Consequently, the FTP connection is
occupied for a long time and the server cannot respond to the login requests of other users. This configuration can
ensure that other users can connect to the FTP server within a period of time upon an error.
Verification
Related Commands
Parameter times: Indicates the valid login count, ranging from 1 to 10.
Description
Usage Guide The valid login count refers to the number of times you can perform account verification during an FTP
session. The default value is 3, which means that your session will be terminated if you enter an incorrect
user name or password for three times and other users can go online.
7-6
Command Reference Configuring FTP Server
Usage Guide The login timeout refers to the maximum duration that the session lasts since being established. If you do
not pass the password verification again during the login timeout, the session will be terminated to ensure
that other users can log in.
Command ftp-servertopdirdirectory
Parameter directory: Indicates the user access path.
Description
Command Global configuration mode
Mode
Usage Guide If the top-level directory of the server is set to "/syslog", the FTP client can access only the files and
directories in the "/syslog" directory on the device after login. Due to restriction on the top-level directory, the
client cannot return to the upper directory of "/syslog".
7-7
Command Reference Configuring FTP Server
Usage Guide The idle timeout of a session refers to the duration from the end of an FTP operation to the start of the next
FTP operation in an FTP session. After the server responds to an FTP client command operation (for
example, after a file is completely transferred), the server starts to count the idle time again, and stops when
the next FTP client command operation arrives. Therefore, the configuration of the idle timeout has no effect
on some time-consuming file transfer operations.
Debugging
Configuration Example
Ruijie(config)#ftp-server timeout 5
Ruijie(config)#ftp-server topdir /
Ruijie(config)#ftp-server enable
Verification Run the show ftp-server command to check whether the configuration takes effect.
Ruijie#show ftp-server
7-8
Command Reference Configuring FTP Server
ftp-server information
===================================
enable : Y
topdir : tmp:/
timeout: 10min
client IP:192.168.21.26[3927]
client IP:192.168.21.26[3929]
Common Errors
No password is configured.
7.5 Monitoring
Displaying
Description Command
Displays the FTP server configuration. show ftp-server
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
7-9
Command Reference Configuring FTP Server
Description Command
Debugs the FTP server error events. debug ftp-server err
Debugs the FTP server message events. debug ftp-server pro
7-10
Command Reference Configuring FTP Client
8.1 Overview
The File Transfer Protocol (FTP) is an application of TCP/IP. By establishing a connection-oriented and reliable TCP
connection between the FTP client and server, a user can access a remote computer that runs the FTP server program.
An FTP client enables file transfer between a device and the FTP server over the FTP protocol. A user uses the client to send
a command to the server. The server responds to the command and sends the execution result to the client. By means of
command interaction, the user can view files in the server directory, copy files from a remote computer to a local computer, or
transfer local files to a remote computer.
FTP is intended to facilitate sharing of program/data files and encourage remote operation (by using programs). Users do not
need to be concerned with differences of different files systems on different hosts. Data is transmitted in an efficient and
reliable manner. FTP enables remote file operation securely.
Ruijie FTP clients are different from standard FTP clients that run interactive commands. Instead, you enter the copy
command in CLI to perform control-connection instructions such as open, user, and pass. After a control connection is
established, the file transfer process starts, and then a data connection is established to upload or download files.
Old devices support TFTP. However, TFTP is used to transfer small files whereas FTP is used to transfer large files.
Implementing FTP on a device enables the file transfer between the local device and other clients or servers.
8.2 Applications
Application Description
Uploading a Local File to a Remote Local and remote files need to be shared, for example, uploading a local file to a
Server remote server.
Downloading a File from a Remote
Local and remote files need to be shared, for example, downloading a file from a
Server to a Local Device
remote server to a local device.
Local and remote files need to be shared, for example, uploading a local file to a remote server.
Figure 8-1
8-1
Command Reference Configuring FTP Client
Deployment
Local and remote files need to be shared, for example, downloading a file from a remote server to a local device.
Figure 8-2
Deployment
8.3 Features
Basic Concepts
An FTP client and an FTP server can be connected in the active or passive mode.
8-2
Command Reference Configuring FTP Client
The transmission between an FTP client and an FTP server is available in two modes, namely, text (ASCII) and binary
(Binary).
An FTP client is configured with a source IP address for communication with an FTP server.
Overview
Feature Description
Uploading FTP Files Uploads files from an FTP client to an FTP server.
Downloading FTP Files Downloads files from an FTP server to an FTP client.
FTP Connection Mode Specifies the connection mode between an FTP client and an FTP server.
FTP Transmission Mode Specifies the transmission mode between an FTP client and an FTP server.
Specifying the Source Configures a source IP address of an FTP client for communication with an FTP server.
Interface IP Address for
FTP Transmission
1. Control connection: Some simple sessions are enabled with the control connection only. A client sends a command to a
server. After receiving the command, the server sends a response. The process is shown in Figure 8-3.
8-3
Command Reference Configuring FTP Client
2. Control connection and data connection: When a client sends a command for uploading or downloading data, both the
control connection and data connection need to be established.
FTP supports two data connection modes: active (PORT) and passive (PASC). The two modes are different in establishing a
data connection.
Active mode
In this mode, an FTP server connects to an FTP client actively when a data connection is established. This mode comprises
four steps:
1. The client uses source port 5150 to communicate with the server through port 21 as shown in Figure 8-4 to send a
connection request and tell the server that the port to be used is port 5151.
2. After receiving the request, the server sends a response OK(ACK). The client and server exchanges control signaling by
console ports.
3. The server enables port 20 as the source port to send data to port 5151 of the client.
Passive mode
8-4
Command Reference Configuring FTP Client
This mode is often set by the passive command. When a data connection is established, the FTP server is connected to the
FPT client passively. This mode comprises four steps:
1. In the passive mode, the client initializes the control signaling connection. The client uses source port 5150 to connect to
the server through port 21 as shown in Figure 8-5, and runs the passive command to request the server to enter the
PASV mode.
2. The server agrees to enter the PASV mode, selects a port number greater than 1024 at random, and tells the port
number to the client.
3. After receiving the message, the client uses port 5151 as shown in Figure 8-5 to communicate with the server through
port 3268. Here, port 5151 is the source port and port 3268 is the destination port.
4. After receiving the message, the server sends data and responds an ACK(OK) response.
After the data connection is established, you can perform file uploading and downloading. Besides, you can perform some
operations on the server file from the client.
The control connection for command and feedback transmission is always present whereas the data connection is
established as required. Only an FTP client has the right to select and set the PASV or PORT mode. The FTP client
sends a command to establish a data connection. Ruijie FTP clients use the PASV mode by default.
ASCII mode
The difference between the ASCII and Binary modes lies in carriage return and line feed processing. In ASCII mode, carriage
return and line feed are changed to a local Carriage Return Character (CRC), for example, \n in Unix, \r\n in Windows, and \r
in Mac.
8-5
Command Reference Configuring FTP Client
Binary mode
The Binary mode can be used to transfer executable files, compressed files and image files without processing data. For
example, a text file needs to be transferred from Unix to Windows. When the Binary mode is used, the line breaks in Unix will
not be converted from \r to \r\n; therefore in Windows, this file has no line feeds and displays many black squares. Therefore,
Binary mode facilitates faster transfer of all files and more reliable transfer of ASCII files.
8.4 Configuration
Notes
Configuration Steps
Uploading a File
8-6
Command Reference Configuring FTP Client
Configure the FTP URL as the destination address of copy in Privileged EXEC mode.
Downloading a File
Configure the FTP URL as the source address of copy in Privileged EXEC mode.
Verification
Related Commands
Uploading a File
The directory specified by the local-directory field must have been created on the device. This
command will not automatically create a directory.
8-7
Command Reference Configuring FTP Client
The directory specified by the local-directory field must have been created on the device. This
command will not automatically create a directory.
Configuration Example
Uploading a File
Upload the local-file file in the home directory of a device to the root directory of an FTP server whose user
Configuration
name is user, password is pass and IP address is 192.168.23.69 and name the file as remote-file.
Steps
Verification Check whether the remote-file file exists on the FTP server.
Downloading a File
Download the remote-file file from the root directory of an FTP server whose user name is user, password
Configuration
is pass and IP address is 192.168.23.69 to the home directory of a device and save the file as local-file.
Steps
Check whether the remote-file file exists in the home directory of the flash.
Verification
Common Errors
Set the connection and transmission modes and configure a source IP address of the client for file uploading and
download.
Notes
N/A
8-8
Command Reference Configuring FTP Client
Configuration Steps
Optional.
Optional.
Optional.
Optional.
Verification
Run the show run command to check whether the configuration takes effect.
Related Commands
8-9
Command Reference Configuring FTP Client
Configuration Example
Ruijie(config)# end
Run the show run command on the device to check whether the configuration takes effect.
Verification
Ruijie# show run
ftp-client ascii
ftp-client port
8-10
Command Reference Configuring FTP Client
Common Errors
8.5 Monitoring
Displaying
Description Command
Displays the FTP client configuration. show run
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs the FTP Client. debug ftp-client
8-11
Command Reference Configuring TFTP
9 Configuring TFTP
9.1 Overview
The Trivial File Transfer Protocol (TFTP) service enables a device to be configured as a TFTP server. Then the client can be
connected to the TFTP server to upload files to or download files from the device using the TFTP protocol.
Users can easily obtain files such as upgrade package files from the device or copy files to the file system of the device using
the TFTP service.
9.2 Applications
Application Description
Providing the TFTP Service in a LAN Enables users in a LAN to upload and download files.
Scenario
Figure 9-1
Deployment
9-1
Command Reference Configuring TFTP
9.3 Features
Basic Concepts
TFTP
TFTP is a set of standard protocols defined by the IETF Network Working Group, and operates at the application layer.
Implemented on the top of the User Datagram Protocol (UDP), TFTP is a simple protocol to transfer files. TFTP provides only
the file uploading and downloading functions instead of many common FTP functions. It does not support the directory list
and the authentication function, and does not provide any security mechanism. TFTP uses the way of acknowledged
retransmission upon timeout to ensure data transmission, which covers three transmission modes: netascii in the form of an
eight-bit ASCII code, eight-bit octet of the source data type, and mail (which is no longer supported). TFTP uses UDP port 69.
A description of TFTP can be found in RFC 1350.
TFTP Packet
Any transfer begins with a request to read or write a file from a TFTP client. After the TFTP server grants the request, the file
is sent in fixed length blocks of 512 bytes. A data packet of less than 512 bytes indicates the termination of a transfer.
Each data packet contains a block of data, and must be acknowledged by an acknowledgement packet before the next data
packet can be sent. If no acknowledgement packet is received within specified time, the last sent data packet is
retransmitted.
The TFTP packet header includes an opcode field, which indicates the packet type. TFTP supports the following five types of
packets:
DATA
Acknowledgment (ACK)
ERROR
Figure 9-2
9-2
Command Reference Configuring TFTP
Working Principle
Figure 9-3
Upon receipt of the RRQ, the TFTP server first determines whether the read condition is met (for example, whether the
file exists or whether the client has the access permission), and returns a DATA packet to the TFTP client if yes; upon
receipt of the WRQ, the TFTP server first determines whether the write condition is met (for example, whether there is a
sufficient space or whether the client has the write permission), and returns an ACK packet to the TFTP client if yes.
9-3
Command Reference Configuring TFTP
The TFTP client receives the DATA packet in the case of file downloading, and replies with an ACK packet; or receives
the ACK packet in the case of file uploading, and then sends a DATA packet.
The process of transmission acknowledgement repeats till the last DATA packet is less than 512 bytes, which indicates
the end of the transmission.
Overview
Feature Description
TFTP Service Provides the TFTP client with file uploading and downloading functions.
The working principle of TFTP is as described in the previous chapter. After the TFTP service is enabled on the device,
configure a top directory so that the TFTP service is available for users.
Related Configuration
You must enable the TFTP service; otherwise, the TFTP server is unavailable.
You must configure the top directory; otherwise, file uploading and downloading functions are unavailable.
9.4 Configuration
9-4
Command Reference Configuring TFTP
Establish a TFTP server to provide the TFTP client with uploading and downloading functions.
Configuration Tips
Configuration Steps
Mandatory configuration.
Mandatory configuration.
Configure a top directory as the root directory on each device unless otherwise stated.
Verification
Check whether the client can normally download files from and upload files to the server.
Related Commands
9-5
Command Reference Configuring TFTP
Configuration Example
Ruijie(config)#tftp-server enable
Ruijie#show run
tftp-server enable
Common Errors
9-6
Command Reference Configuring TFTP
9.5 Monitoring
Displaying
System resources are occupied when debugging information is output. Therefore, disable the debugging switch
immediately after use.
Function Command
Enables the TFTP server debugging switch. debug tftp-server
9-7
Command Reference Configuring Network Communication Test Tools
10.1 Overview
Network communication test tools can be used to check the connectivity of a network and helps you analyze and locate
network faults. Network communication test tools include Packet Internet Groper (PING) and Traceroute. Ping is used to
check the connectivity and delay of a network. A greater delay indicates a slower network speed. Traceroute helps you learn
about the topology of physical and logical links and transmission rate. On a network device, you can run the ping and
traceroute commands to use the two tools respectively.
RFC4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification
10.2 Applications
Application Description
End-to-End Connectivity Test Both the network device and the destination host are connected to the IP network and
configured with IP addresses.
Host Route Test Both the network device and the destination host are connected to the IP network and
configured with IP addresses.
As shown in Figure 10-1, Network Device A and Target Host B are connected to the IP network.
If both the network device and the target host are connected to the IP network, the end-to-end connectivity test aims to check
whether IP packets can be transmitted between the two ends. The target host can be the network device itself. In this case,
the connectivity test aims to check the network interface and TCP/IP configurations on the device.
Figure 10-1
Deployment
10-1
Command Reference Configuring Network Communication Test Tools
As shown in Figure 10-2, Network Device A and Target Host B are connected to the IP network.
If both the network device and the target host are connected to the IP network, the host route test aims to check gateways (or
routers) that IP packets pass through between the two ends. Generally, the target host is not within the same IP network
segment as the network device.
Figure 10-2
Deployment
10.3 Features
Overview
Feature Description
Ping Test Test whether the specified IPv4 or IPv6 address is reachable and display the related
information.
Traceroute Test Display the gateways that IPv4 or IPv6 packets pass through when transmitted from the
source to the destination.
The ping tool sends an Internet Control Message Protocol (ICMP) Request message to the destination host to request the for
an ICMP Echo Reply message. In this way, the ping tool determines the delay and the connectivity between the two network
devices.
Related Configuration
The traceroute tool uses the Time To Live (TTL) field in the headers of the ICMP and IP messages for the test First, the
traceroute tool on the network device sends an ICMP Request message with TTL 1 to the destination host. After receiving
10-2
Command Reference Configuring Network Communication Test Tools
the message, the first router on the path decreases the TTL by 1. As the TTL becomes 0, the router drops the packets and
returns an ICMP time exceeded message to the network device. After receiving this message, the traceroute tool learns that
this router exists on this path, and then sends an ICMP Request packet with TTL 2 to the destination host to discover the
second router. Each time the traceroute tool increases the TTL in the ICMP Request message by 1 to discover one more
router. This process is repeated until a data packet reaches the destination host. After the packet reaches the destination
host, the host returns an ICMP Echo message instead of an ICMP time exceeded message to the network device. Then, the
traceroute tool finishes the test and displays the path from the network device to the destination host.
Related Configuration
10.4 Configuration
(Optional) It is used to display the gateways that IPv4 or IPv6 packets pass through
Traceroute Test when transmitted from the source to the destination.
After conducting a ping test on a network device, you can learn whether the network device is connected to the destination
host and whether packets can be transmitted between the network device and the destination host.
Notes
Configuration Steps
To check whether an IPv4 address is reachable, use the ping IPv4 command.
To check whether an IPv6 address is reachable, use the ping IPv6 command.
Verification
Run the ping command to display related information on the command line interface (CLI) window.
Related Commands
Ping IPv4
10-3
Command Reference Configuring Network Communication Test Tools
Command ping [ip ] { address [ length length ] [ ntimes times ] [ timeout seconds ] [ data data ] [ source source ]
[ df-bit ] [ validate ] [ detail ] [interval millisecond] [ out-interface interface [next-hop next-hop]] }
Ping IPv6
Command ping [ipv6] { address [ length length ] [ ntimes times ] [ timeout seconds ] [ data data ] [ source source ]
[ df-bit ] [ validate ] [ detail ] [interval millisecond] [ out-interface interface [next-hop next-hop]] }
10-4
Command Reference Configuring Network Communication Test Tools
detail: Configures whether to display the Echo Reply message in detail. By default, only the exclamation
mark (!) and dot (.) are displayed.
interface: Specifies the interface for sending the data packets.
next-hop: Specifies the next hop IPv6 address.
millisecond: Specifies the interval at which the ping packet is sent. The value ranges from 10 ms to 300,000
ms. The default interval is 100 ms.
Command In User EXEC mode, you can execute only the basic ping IPv6 function. In Privileged EXEC mode, you can
Mode execute the extended ping IPv6 function.
In other configuration modes, you can run the do command to execute the extended ping function. For
details about the configuration, see the description about the do command.
Configuration When the ping IPv6 function is executed, information about the response (if any) will be displayed, and then
Usage related statistics will be output.
Using the extended ping IPv6 function, you can specify the number, length and timeout of packets to be
sent. Like the basic ping IPv6 function, related statistics will be output.
To use the domain name, you must first configure the DNS. For details about the configuration, see
Configuring DNS.
Configuration Example
!!!!!
10-5
Command Reference Configuring Network Communication Test Tools
Verification Send five 100-byte packets to the specified IP address, and the response information will be displayed in the
specified time (2s by default). Finally the statistics is output.
Configuration In Privileged EXEC mode, run the ping 192.168.21.26 command. In addition, specify the length, number,
Steps and timeout of the packets.
Ruijie# ping 192.168.21.26 length 1500 ntimes 100 data ffff source 192.168.21.99 timeout 3
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!
ping 192.168.21.26 length 1500 ntimes 20 data ffff source 192.168.21.99 timeout 3 detail
10-6
Command Reference Configuring Network Communication Test Tools
Verification Send twenty 1500-byte packets to the specified IP address, and the response information (if any) will be
displayed in the specified time (3s by default). Finally the statistics is output.
Configuration In Privileged EXEC mode, run the ping ipv6 2001::1 command.
Steps
!!!!!
10-7
Command Reference Configuring Network Communication Test Tools
Verification Send five 100-byte packets to the specified IP address, and the response information will be displayed in the
specified time (2s by default). Finally the statistics is output.
Configuration In Privileged EXEC mode, run the ping ipv6 2001::5 command. In addition, specify the length, number, and
Steps timeout of the packets.
Ruijie# ping ipv6 2001::5 length 1500 ntimes 100 data ffff source 2001::9 timeout 3
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!
Ruijie#ping 2001::5 length 1500 ntimes 10 data ffff source 2001::9 timeout 3
Verification Send one hundred 1500-byte packets to the specified IPv6 address, and the response information (if any)
will be displayed in the specified time (3s by default). Finally the statistics is output.
10-8
Command Reference Configuring Network Communication Test Tools
After conducting a traceroute test on a network device, you can learn about the routing topology between the network device
and the destination host, and the gateways through which packets are sent from the network device to the destination host.
Notes
Configuration Steps
To trace the route an IPv4 packet would follow to the destination host, run the traceroute IPv4 command.
To trace the route an IPv6 packet would follow to the destination host, run the traceroute IPv6 command.
Verification
Run the traceroute command to display related information on the CLI window.
Related Commands
Traceroute IPv4
Command traceroute [ ip ] { adress [ probe number ] [ source source ] [ timeout seconds ] [ ttl minimum maximum ]
[out-interface interface [next-hop next-hop] ] }
Traceroute IPv6
Command traceroute [ipv6 ] { address [ probe number ] [ timeout seconds ] [ ttl minimum maximum ] [ out-interface
interface [next-hop next-hop]] }
10-9
Command Reference Configuring Network Communication Test Tools
Description number: Specifies the number of probes. The value ranges from 1 to 255.
seconds: Specifies the timeout. The value ranges from 1s to 10s.
minimum maximum: Specifies the minimum and maximum TTL values. The value ranges from 1 to 255.
interface: Specifies the interface for sending the data packets.
next-hop: Specifies the next hop IPv6 address.
Command In User EXEC mode, you can execute only the basic traceroute IPv6 function. In privileged EXEC mode, you
Mode can execute the extended traceroute IPv6 function.
Configuration The traceroute IPv6 command is used to test the network connectivity and accurately locate a fault when the
Usage fault occurs. To use the domain name, you must first configure the DNS. For details about the configuration,
see Configuring DNS.
Configuration Example
Configuration In Privileged EXEC mode, run the traceroute ipv6 3004::1 command.
Steps
Ruijie#
The preceding test result indicates that the network device accesses host 3004::1 by transmitting packets
through gateways 1–3. In addition, the time required to reach each gateway is displayed.
10-10
Command Reference Configuring Network Communication Test Tools
4 * * *
The preceding test result indicates that the network device accesses host 202.108.37.42 by transmitting
packets through gateways 1–17, and Gateway 4 is faulty.
Configuration In Privileged EXEC mode, run the traceroute ipv6 3004::1 command.
Steps
10-11
Command Reference Configuring Network Communication Test Tools
The preceding test result indicates that the network device accesses host 3004::1 by transmitting packets
through gateways 1-4. In addition, the time required to reach each gateway is displayed.
Configuration In Privileged EXEC mode, run the traceroute ipv6 3004::1 command.
Steps
4 * * *
The preceding test result indicates that the network device accesses host 3004::1 by transmitting packets
through gateways 1–5, and Gateway 4 is faulty.
10-12
Command Reference Configuring TCP
11 Configuring TCP
11.1 Overview
The Transmission Control Protocol (TCP) is a transport-layer protocol providing reliable connection-oriented and IP-based
services to for the application layer.
Internetwork data flows in 8-bit bytes are sent from the application layer to the TCP layer, and then fragmented into packet
segments of a proper length via the TCP. The Maximum Segment Size (MSS) is usually limited by the Maximum
Transmission Unit (MTU) of the data link layer. After that, the packets are sent to the IP layer and then to the TCP layer of a
receiver through the network.
To prevent packet loss, every byte is identified by a sequence number via the TCP, and this ensures that packets destined
for the peer are received in order. Then, the receiver responds with a TCP ACK packet upon receiving a packet. If the sender
does not receive ACK packets in a reasonable Round-Trip Time (RTT), the corresponding packets (assumed lost) will be
retransmitted.
TCP uses the checksum function to check data integrity. Besides, MD5-based authentication can be used to verify data.
The Sliding Window Protocol is adopted to control flows. As documented in the Protocol, unidentified groups in a
window should be retransmitted.
RFC 1213: Management Information Base for Network Management of TCP/IP-based Internets: MIB-II
RFC 4022: Management Information Base for the Transmission Control Protocol (TCP)
11.2 Applications
Application Description
Optimizing TCP Performance To avoid TCP packet fragmentation on a link with a small MTU, Path MTU Discovery
(PMTUD) is enabled.
Detecting TCP Connection Exception TCP checks whether the peer works normally.
11-1
Command Reference Configuring TCP
For example, TCP connection is established between A and D, as shown in the following figure. The MTU of the link between
A and B is 1500 bytes, 1300 bytes between B and C, and 1500 bytes between C and D. To optimize TCP transmission
performance, packet fragmentation should be avoided between B and C.
Figure 11-1
Deployment
For example, in the following figure, User logs in to A through telnet but is shut down abnormally, as shown in the following
figure. In case of TCP retransmission timeout, the User's TCP connection remains for a long period. Therefore, TCP
keepalive can be used to rapidly detect TCP connection exception.
Figure 11-2
Remarks: A is a router.
Deployment
11-2
Command Reference Configuring TCP
11.3 Features
Basic Concepts
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Acknowledgment Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Data | |U|A|P|R|S|F| |
| | |G|K|H|T|N|N| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Acknowledgment Number is a 32-bit number that identifies the next sequence number that the receiver is expecting
to receive.
Data Offset is a 4-bit number that indicates the total number of bytes in the TCP header (option included) divided by 4.
A flag bit is 6-bit. URG: the urgent pointer field is significant; ACK: the acknowledgment field is significant; PSH:
indicates the push function; RST: resets TCP connection; SYN: synchronizes the sequence number (establishing a
TCP connection); FIN: no more data from the sender (closing a TCP connection).
11-3
Command Reference Configuring TCP
A 16-bit Window value is used to control flows. It specifies the amount of data that may be transmitted from the peer
between ACK packets.
Urgent Pointer is 16-bit and shows the end of the urgent data so that interrupted data flows can continue. When the
URG bit is set, the data is given priority over other data flows.
2. The server receives the SYN packet and responds with a SYN ACK packet.
3. The client receives the SYN packet from the server and responds with an ACK packet.
After the three-way handshake, the client and server are connected successfully and ready for data transmission.
Overview
Feature Description
Configuring SYN Timeout Configure a timeout waiting for a response packet after an SYN or SYN ACK packet is sent.
Configuring Window Size Configure a window size.
Configuring Reset Packet Configure the sending of TCP reset packets after receiving port unreachable messages.
Sending
Configuring MSS Configure an MSS for TCP connection.
Path MTU Discovery Discover the smallest MTU on TCP transmission path, and adjust the size of TCP packets
based on this MTU to avoid fragmentation.
TCP Keepalive Check whether the peer works normally.
A TCP connection is established after three-way handshake: The sender sends an SYN packet, the receiver replies with a
SYN ACK packet, and then the sender replies with an ACK packet.
If the receiver does not reply with a SYN ACK packet after the sender sends an SYN packet, the sender keeps
retransmitting the SYN packet for certain times or until timeout period expires.
If the receiver replies with a SYN ACK packet after the sender sends an SYN packet but the sender does not reply with
an ACK packet, the receiver keeps retransmitting the SYN ACK packet for certain times or until timeout period expires.
(This occurs in the case of SYN flooding.)
Related Configuration
11-4
Command Reference Configuring TCP
Run the ip tcp synwait-time seconds command in global configuration mode to configure an SYN timeout ranging from
5 to 300 seconds.
In case of SYN flooding, shortening SYN timeout reduces resource consumption. However, it does not work in
continuous SYN flooding. When a device actively makes a request for a connection with an external device, through
telnet for example, shortening SYN timeout reduces user's wait time. You may prolong SYN timeout properly on a poor
network.
The ip tcp syntime-out command in version 10.x is disused but compatible in version 11.0. If this command is
executed, it will be converted to the ip tcp synwait-time command.
In version 10.x, the configuration applies to only IPv4 TCP. In version 11.0 or later, it applies to both IPv4 TCP and IPv6
TCP.
Data from the peer is cached in the TCP receiving buffer and subsequently read by applications. The TCP window size
indicates the size of free space of the receiving buffer. For wide-bandwidth bulk-data connection, enlarging the window size
dramatically promotes TCP transmission performance.
Related Configuration
Run the ip tcp window-size size command in global configuration mode to configure a window size ranging from 128
to (65535<< 14) bytes. The default is 65535 bytes. If the window size is greater than 65535 bytes, window enlarging will
be enabled automatically.
The window size advertised to the peer is the smaller value between the configured window size and the free space of
the receiving buffer.
In version 10.x, the configuration applies to only IPv4 TCP. In version 11.0 or later, it applies to both IPv4 TCP and IPv6
TCP.
When TCP packets are distributed to applications, if the TCP connection a packet belongs to cannot be identified, the local
end sends a reset packet to the peer to terminate the TCP connection. Attackers may use port unreachable messages to
attack the device.
Related Configuration
Configuring the Sending of TCP Reset Packets After Receiving Port Unreachable Messages
11-5
Command Reference Configuring TCP
By default, TCP reset packet sending upon receiving port unreachable messages is enabled.
Run the no ip tcp send-reset command in global configuration mode to disable TCP reset packet sending upon receiving
port unreachable messages.
After this function is enabled, attackers may use port unreachable messages to attack the device.
The ip tcp not-send-rst command in version 10.x is disused but compatible in version 11.0. If this command is
executed, it will be converted to the no ip tcp send-reset command.
In version 10.x, the configuration applies to only IPv4 TCP. In version 11.0 or later, it applies to both IPv4 TCP and IPv6
TCP.
The MSS refers to the total amount of data contained in a TCP segment t excluding TCP options.
Three-way handshake is implemented through MSS negotiation. Both parties add the MSS option to SYN packets, indicating
the largest amount of data that the local end can handle, namely, the amount of data allowed from the peer. Both parties take
the smaller MSS between them as the advertised MSS.
IPv4 TCP: MSS = Outgoing interface MTU –IP header size (20-byte)–TCP header size (20-byte).
IPv6 TCP: MSS = IPv6 Path MTU –IPv6 header size (40-byte)–TCP header size (20-byte).
In version 10.x, the configuration applies to only IPv4 TCP. In version 11.0 or later, it applies to both IPv4 TCP and IPv6
TCP.
The effective MSS is the smaller one between the calculated MSS and the configured MSS.
If a connection supports certain options, the option length (with data offset taken into consideration) should be
deducted from an MSS value. For example, 20 bytes for MD5 digest (with data offset taken into consideration) should
be subtracted from the MSS.
Related Configuration
Configuring MSS
Run the ip tcp mss max-segment-size command in global configuration mode to set an MSS. It ranges from 68 to 1000
bytes. By default, the MSS is calculated based on MTU. If an MSS is configured, the effective MSS is the smaller one
between the calculated MSS and the configured MSS.
An excessively small MSS reduces transmission performance. You can promote TCP transmission by increasing the
MSS. Choose an MSS value by referring to the interface MTU. If the former is bigger, TCP packets will be fragmented
and transmission performance will be reduced.
11-6
Command Reference Configuring TCP
The Path MTU Discovery f stipulated in RFC1191 is used to discover the smallest MTU in a TCP path to avoid fragmentation,
enhancing network bandwidth utilization. The process of TCPv4 Path MTU Discovery is described as follows:
1. The source sends TCP packets with the Don’t Fragment (DF) bit set in the outer IP header.
2. If the outgoing interface MTU value of a router in the TCP path is smaller than the IP packet length, the packet will be
discarded and an ICMP error packet carrying this MTU will be sent to the source.
3. Through parsing the ICMP error packet, the source knows the smallest MTU in the path (path MTU) is.
4. The size of subsequent data segments sent by the source will not surpass the MSS, which is calculated as follows: TCP
MSS = Path MTU – IP header size – TCP header size.
Related Configuration
Run the ip tcp path-mtu-discovery command to enable PMTUD in global configuration mode.
In version 10.x, the configuration applies to both IPv4 TCP and IPv6 TCP. In version 11.0 or later, it applies to only
IPv4 TCP. TCPv6 PMTUD is enabled permanently and cannot be disabled.
You may enable TCP keepalive to check whether the peer works normally. If a TCP end does not send packets to the other
end for a period of time (namely idle period), the latter starts sending keepalive packets successively to the former for several
times. If no response packet is received, the TCP connection is considered inactive and then closed.
Related Configuration
Enabling Keepalive
Run the ip tcp keepalive [interval num1] [times num2] [idle-period num3] command to in global configuration mode
to enable TCP keepalive. See Configuration for parameter description.
In version 10.x, the configuration applies to only IPv4 TCP. In version 11.0 or later, it applies to both IPv4 TCP and IPv6
TCP.
The service tcp-keepalives-in command is used in version 10.x to enable keeplive on the TCP server. It is disused but
compatible in version 11.0. If this command is executed, it will be converted to the ip tcp keepalive [interval num1]
[times num2] [idle-period num3] command.
11-7
Command Reference Configuring TCP
The service tcp-keepalives-out command is used in version 10.x to enable keeplive on the TCP client. It is disused
but compatible in version 11.0. If this command is executed, it will be converted to the ip tcp keepalive [interval num1]
[times num2] [idle-period num3] command.
11.4 Configuration
Detecting TCP Connection (Optional) It is used to detect whether the peer works normally.
Exception
ip tcp keepalive Enables TCP keepalive.
Notes
N/A
Configuration Steps
Optional.
Optional.
Configuring the Sending of TCP Reset Packets After Receiving Port Unreachable Messages.
11-8
Command Reference Configuring TCP
Optional.
Configuring MSS
Optional.
Optional.
Verification
N/A
Related Commands
Configuring the Sending of TCP Reset Packets After Receiving Port Unreachable Messages
11-9
Command Reference Configuring TCP
Mode
Usage Guide By default, TCP reset packet sending upon receiving port unreachable messages is enabled.
Configuring MSS
Configuration Example
Configuration Enable PMTUD for a TCP connection. Adopt the default age timer settings.
Steps
Ruijie(config)# end
Verification Run the show tcp pmtu command to display the IPv4 TCP PMTU.
11-10
Command Reference Configuring TCP
Configuration Enable PMTUD for a TCP connection. Adopt the default age timer settings.
Steps
Ruijie(config)# end
Verification Run the show tcp pmtu command to display the IPv4 TCP PMTU.
Number Local Address Foreign Address PMTU
Run the show ipv6 tcp pmtu command to display the IPv6 TCP PMTU.
Common Errors
N/A
Notes
N/A
Configuration Steps
Optional.
Verification
N/A
Related Commands
11-11
Command Reference Configuring TCP
Description is 75 seconds.
times num2: Indicates the maximum times for sending keepalive packets. It ranges from 1 to 10. The default
is 6.
idle-period num3: Indicates the time when the peer sends no packets to the local end, It ranges from 60 to
1800 seconds. The default is15 minutes.
Command Global configuration mode
Mode
Usage Guide You may enable TCP keepalive to check whether the peer works normally. The function is disabled by
default.
Suppose a user enables TCP keepalive function with the default interval, times and idle period settings. The
user does not receive packets from the other end within 15 minutes and then starts sending Keepalive
packets every 75 seconds for 6 times. If the user receives no TCP packets, the TCP connection is
considered inactive and then closed.
Configuration Example
Configuration Enable TCP keepalive on a device with interval and idle-period set to 3 minutes and 60 seconds
Steps respectively. If the user receives no TCP packets from the other end after sending keepalive packets four
times, the TCP connection is considered inactive.
Ruijie(config)# end
Verification A user logs in to a device through telnet, and then shuts down the local device. Run the show tcp connect
command on the remote device to observe when IPv4 TCP connection is deleted.
Common Errors
N/A
11.5 Monitoring
Displaying
Description Command
Displays basic information on IPv4 show tcp connect [local-ip a.b.c.d] [local-port num] [peer-ip a.b.c.d] [peer-po
TCP connection. rt num]
Displays IPv4 TCP connection show tcp connect statistics
statistics.
11-12
Command Reference Configuring TCP
Description Command
show tcp pmtu [local-ip a.b.c.d] [local-port num] [peer-ip a.b.c.d] [peer-port
Displays IPv4 TCP PMTU.
num]
Displays IPv4 TCP port information. show tcp port [num]
Displays IPv4 TCP parameters. show tcp parameter
Displays IPv4 TCP statistics. show tcp statistics
Displays basic information on IPv6 show ipv6 tcp connect [local-ipv6 X:X:X:X::X] [local-port num] [peer-ipv6 X:
TCP connection. X:X:X::X] [peer-port num]
Displays IPv6 TCP connection show ipv6 tcp connect statistics
statistics.
show ipv6 tcp pmtu [local-ipv6 X:X:X:X::X] [local-port num] [peer-ipv6 X:X:X:
Displays IPv6 TCP PMTU.
X::X] [peer-port num]
Displays IPv6 TCP port information. show ipv6 tcp port [num]
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Displays the debugging information debug ip tcp packet [ in | out] [local-ip a.b.c.d] [peer-ip a.b.c.d] [global] [local-port
on IPv4 TCP packets. num] [peer-port num] [deeply]
Displays the debugging information debug ip tcp transactions [local-ip a.b.c.d] [peer-ip a.b.c.d] [local-port num]
on IPv4 TCP connection. [peer-port num]
Displays the debugging information debug ipv6 tcp packet [ in | out] [local-ipv6 X:X:X:X::X] [peer-ipv6 X:X:X:X::X]
on IPv6 TCP packets. [global] [local-port num] [peer-port num] [deeply]
Displays the debugging information debug ipv6 tcp transactions [local-ipv6 X:X:X:X::X] [peer-ipv6 X:X:X:X::X]
on IPv6 TCP connection. [local-port num] [peer-port num]
11-13
Command Reference Configuring IPv4/IPv6 REF
12.1 Overview
On products incapable of hardware-based forwarding, IPv4/IPv6 packets are forwarded through the software. To optimize
the software-based forwarding performance, Ruijie introduces IPv4/IPv6 express forwarding through software (Ruijie
Express Forwarding, namely REF).
REF maintains two tables: forwarding table and adjacency table. The forwarding table is used to store route information. The
adjacency table is derived from the ARP table and IPv6 neighbor table, and it contains Layer 2 rewrite(MAC) information for
the next hop..
REF is used to actively resolve next hops and implement load balancing.
N/A
12.2 Applications
Application Description
Load Balancing During network routing, when a route prefix is associated with multiple next hops, REF can
implement load balancing among the multiple next hops.
As shown in Figure 12-1, a route prefix is associated with three next hops on router A, namely, link 1, link 2, and link 3. By
default, REF implements load balancing based on the destination IP address. Load balancing can be implemented based on
the source IP address and destination IP address as well.
12-1
Command Reference Configuring IPv4/IPv6 REF
Figure 12-1
Deployment
12.3 Features
Basic Concepts
Routing table
An IPv4/IPv6 routing table stores routes to the specific destinations and contains the topology information. During packet
forwarding, IPv4/IPv6 REF selects packet transmission paths based on the routing table.
Adjacent node
An adjacent node contains output interface information about routed packets, for example, the next hop, the next component
to be processed, and the link layer encapsulation. When a packet is matched with an adjacent node, the packet is directly
encapsulated and then forwarded. For the sake of query and update, an adjacent node table is often organized into a hash
table. To support routing load balancing, the next hop information is organized into a load balance entry. An adjacent node
may not contain next hop information. It may contain indexes of next components (such as other line cards and multi-service
cards) to be processed.
Active resolution
REF supports next hop resolution. If the MAC address of the next hop is unknown, REF will actively resolve the next hop.
IPv4 REF requests the ARP module for next hop resolution while IPv6 REF applies the ND module to resolution.
12-2
Command Reference Configuring IPv4/IPv6 REF
Packets are forwarded based on their IPv4/IPv6 addresses. If the source and destination IPv4/IPv6 addresses of a packet
are specified, the forwarding path of this packet is determined.
Working Principle
REF supports two load balancing modes. In the REF model, a route prefix is associated with multiple next hops, in other
words, it is a multi-path route. The route will be associated with a load balance table and implement weight-based load
balancing. When an IPv4/IPv6 packet is matched with a load balance entry based on the longest prefix match, REF performs
hash calculation based on the IPv4/IPv6 address of the packet and selects a path to forward the packet.
IPv4/IPv6 REF supports two kinds of load balancing policies: load balancing based on destination IP address, and load
balancing based on the source and destination IP addresses.
Related Configuration
N/A
12.4 Monitoring
REF packet statistics includes the number of forwarded packets and the number of packets discarded due to various causes.
You can determine whether packets are forwarded as expected by displaying and clearing REF packet statistics.
Command Description
show ip ref packet statistics Displays IPv4 REF packet statistics.
clear ip ref packet statistics Clears IPv4 REF packet statistics.
show ipv6 ref packet statistics Displays IPv6 REF packet statistics.
clear ipv6 ref packet statistics Clears IPv6 REF packet statistics.
Displaying Adjacency
Information
Command Description
Displays the gleaned adjacencies, local adjacencies,
show ip ref adjacency [glean | local | ip-address | {interface adjacencies of a specified IP address, adjacencies
interface_type interface_number } | discard | statistics] associated with a specified interface, and all adjacent
nodes in IPv4 REF.
12-3
Command Reference Configuring IPv4/IPv6 REF
Displaying Active
Resolution Information
You can run the following commands to display next hops to be resolved:
Command Description
show ip ref resolve-list Displays the next hop to be resolved .
show ipv6 ref resolve-list Displays the next hop to be resolved.
Displaying Packet
Forwarding Path
Information
Packets are forwarded based on their IPv4/IPv6 addresses. If the source and destination IPv4/IPv6 addresses of a packet
are specified, the forwarding path of this packet is determined. Run the following commands and specify the IPv4/IPv6
source and destination addresses of a packet. The forwarding path of the packet is displayed, for example, the packet is
discarded, submitted to a CPU, or forwarded. Furthermore, the interface that forwards the packet is displayed.
Command Description
show ip ref exact-route source-ipaddress dest_ipaddress Displays the forwarding path of a packet.
show ipv6 ref exact-route src-ipv6-address dst-ipv6-address Displays the forwarding path of an IPv6 packet.
Displaying Route
Information in an REF
Table
Run the following commands to display the route information in an REF table:
Command Description
Displays route information in the IPv4 REF table. The
show ip ref route [default | {ip mask}| statistics]
parameter default indicates a default route.
Displays route information in the IPv6 REF table. The
show ipv6 ref route [ default | statistics | prefix/len ]
parameter default indicates a default route.
12-4
IP Routing Configuration
1 Configuring RIP
2 Configuring RIPng
3 Configuring Routes
4 Configuring Keys
6 Configuring OSPFv2
7 Configuring OSPFv3
Configuration Guide Configuring RIP
1 Configuring RIP
1.1 Overview
Routing Information Protocol (RIP) is a unicast routing protocol applied on IPv4 networks. RIP-enabled routers exchange
routing information to obtain routes to remote networks.
As an Interior Gateway Protocol (IGP), RIP can run only within the autonomous system (AS) and is applicable to small-sized
networks whose longest path involves less than 16 hops.
1.2 Applications
Application Description
Basic RIP Application The routing information is automatically maintained through RIP on a small-sized
network.
On a network with a simple structure, you can configure RIP to implement network interworking. Configuring RIP is simpler
than configuring other IGP protocols like Open Shortest Path First (OSPF). Compared with static routes, RIP can dynamically
adapt to the network structure changes and is easier to maintain.
As shown in Figure 1-1, to implement interworking between PC1, PC2, and PC3, you can configure RIP routes on R1, R2,
and R3.
Configuration Guide Configuring RIP
Figure 1-1
Deployment
1.3 Features
Basic Concepts
Classful routing protocol: It supports classful routes. For example, RIPv1 is a classful routing protocol.
Classless routing protocol: It supports classless routes. For example, RIPv2 is a classless routing protocol.
Overview
Feature Description
Configuration Guide Configuring RIP
Feature Description
RIPv1 and RIPv2 RIP is available in two versions: RIPv1 and RIPv2.
Exchanging Routing By exchanging routing information, RIP-enabled devices can automatically obtain routes to a remote
Information network and update the routes in real time.
Routing Algorithm RIP is a protocol based on the distance-vector algorithm. It uses the vector addition method to
compute the routing information.
Avoiding Route Loops RIP uses functions, such as split horizon and poison reverse, to avoid route loops.
Security Measures RIP uses functions, such as authentication and source address verification, to ensure protocol
security.
Reliability Measures RIP uses functions, such as bidirectional forwarding detection (BFD) correlation, fast reroute, and
graceful restart (GR), to enhance reliability of the protocol.
Working Principle
RIPv1
RIPv1 packets are broadcast. The broadcast address is 255.255.255.255, and the UDP port ID is 520. RIPv1 cannot identify
the subnet mask, and supports only classful routes.
RIPv2
RIPv2 packets are multicast. The multicast address is 224.0.0.9, and the UDP port ID is 520. RIPv2 can identify the subnet
mask, and supports classless routes, summarized route, and supernetting routes. RIPv2 supports plain text authentication
and message digest 5 (MD5) authentication.
Related Configuration
You must enable the RIP process on a device; otherwise, all functions related to RIP cannot take effect.
Run the network command to define an address range. RIP runs on interfaces that belong to this address range.
After RIP runs on an interface, RIP packets can be exchanged on the interface and RIP can learn routes to the network
segments directly connected to the device.
By default, an interface receives RIPv1 and RIPv2 packets, and sends RIPv1 packets.
Run the version command to define the version of RIP packets sent or received on all interfaces.
Run the ip rip send version command to define the version of RIP packets sent on an interface.
Run the ip rip receive version command to define the version of RIP packets received on an interface.
If the versions of RIP running on adjacent routers are different, the RIPv1-enabled router will learn incorrect routes.
Run the no ip rip receive enable command to prevent an interface from receiving RIP packets.
Run the no ip rip send enable command to prevent an interface from sending RIP packets.
Run the passive-interface command to prevent an interface from sending broadcast or multicast RIP packets.
Run the ip rip v2-broadcast command to send broadcast RIPv2 packets on an interface.
Run the neighbor command to send unicast RIP packets to a specified neighbor router.
Working Principle
Initialization
After RIP is enabled on a router, the router sends a request packet to its neighbor router, requesting for all routing information,
that is, the routing table. After receiving the request message, the neighbor router returns a response packet containing the
local routing table. After receiving the response packet, the router updates the local routing table, and sends an update
packet to the neighbor router, informing the neighbor router of the route update information. After receiving the update packet,
the neighbor router updates the local routing table, and sends the update packet to other adjacent routers. After a series of
updates, all routers can obtain and retain the latest routing information.
Periodical Update
By default, periodical update is enabled for RIP. Adjacent routers exchange complete routing information with each other
every 30s (update timer), that is, the entire routing table is sent to neighbor routers. One update packet contains at most 25
routes. Therefore, a lot of update packets may be required to send the entire routing table. You can set the sending delay
between update packets to avoid loss of routing information.
For every non-local route, if the route is not updated within 180s (invalid timer), the metric of the route is changed to 16
(unreachable). If the route is still not updated in the next 120s (flush timer), the route is deleted from the routing table.
Configuration Guide Configuring RIP
Triggered Updates
After the triggered updates function is enabled, periodical update is automatically disabled. When routing information
changes on a router, the router immediately sends routes related to the change (instead of the complete routing table) to the
neighbor router, and use the acknowledgment and retransmission mechanisms to ensure that the neighbor router receives
the routes successfully. Compared with periodical update, triggered updates help reduce flooding and accelerates route
convergence.
Events that can trigger update include router startup, interface status change, changes in routing information (such as the
metric), and reception of a request packet.
Route Summarization
When sending routing information to a neighbor router, the RIP-enabled router summarizes subnet routes that belong to the
same classful network into a route, and sends the route to the neighbor router. For example, summarize 80.1.1.0/24
(metric=2) and 80.1.2.0/24 (metric=3) into 80.0.0.0/8 (metric=2), and set the metric of the summarized route to the optimum
metric.
Only RIPv2 supports route summarization. Route summarization can reduce the size of the routing table and improve the
efficiency of routing information exchange.
Supernetting Route
If the subnet mask length of a route is smaller than the natural mask length, this route is called supernetting route. For
example, in the 80.0.0.0/6 route, as 80.0.0.0 is a Class A network address and the natural mask is 8 bits, 80.0.0.0/6 route is a
supernetting route.
Default Route
In the routing table, a route to the destination network 0.0.0.0/0 is called default route.
The default route can be learned from a neighbor router, or sent to a neighbor router.
Route Redistribution
For RIP, other types of routes (such as direct routes, static routes, and routes of other routing protocols) are called external
routes.
External routes (excluding the default route) can be redistributed to RIP and advertised to neighbors.
Route Filtering
Filtering conditions can be configured to limit the routing information exchanged between adjacent routers. Only the routing
information that meets filtering conditions can be sent or received.
Related Configuration
By default, the update packets are sent continuously without any delay.
Configuration Guide Configuring RIP
Run the output-delay command to set the sending delay between update packets.
RIP Timers
By default, the update timer is 30s, the invalid timer is 180s, and the flush timer is 120s.
Run the timers basic command to modify durations of the RIP timers.
Increasing the duration of the flush timer can reduce the route flapping. Decreasing the duration of the flush timer helps
accelerate route convergence.
The durations of RIP timers must be consistent on adjacent routers. Unless otherwise required, you are advised not to modify
the RIP timers.
Triggered Updates
Run the ip rip triggered command to enable triggered updates on the interface and disable periodical update.
Run the ip rip triggered retransmit-timer command to modify the retransmission interval of update packets. The default
value is 5s.
Run the ip rip triggered retransmit-count command to modify the maximum retransmission times of update packets. The
default value is 36.
Route Summarization
By default, route summarization is automatically enabled if an interface is allowed to send RIPv2 packets.
Supernetting Route
By default, supernetting routes can be sent if an interface is allowed to send RIPv2 packets.
Run the no ip rip send supernet-routes command to prevent the sending of supernetting routes.
Default Route
Run the ip rip default-information command to advertise the default route to neighbors on an interface.
Run the default-information originate command to advertise the default route to neighbors from all interfaces.
Route Redistribution
Run the redistribute command to redistribute external routes (excluding the default route) to RIP and advertise them to
neighbors.
Route Filtering
Run the distribute-list out command to set filtering rules to limit the routing information sent by the device.
Run the distribute-list in command to set filtering rules to limit the routing information received by the device.
Configuration Guide Configuring RIP
Working Principle
Distance-Vector Algorithm
RIP is a protocol based on the distance-vector algorithm. The distance-vector algorithm treats a route as a vector that
consists of the destination network and distance (metric). The router obtains a route from its neighbor and adds the distance
vector from itself to the neighbor to the route to form its own route.
RIP uses the hop count to evaluate the distance (metric) to the destination network. By default, the hop count from a router to
its directly connected network is 0, the hop count from a router to a network that can be reached through the router is 1, and
so on. That is, the metric is equal to the number of routers from the local network to the destination network. To restrict the
convergence time, RIP stipulates that the metric must be an integer between 0 and 15. If the metric is equal to or greater than
16, the destination network or host is unreachable. For this reason, RIP cannot be applied on a large-scale network.
As shown in Figure 1-2, Router A is connected to the network 10.0.0.0. Router B obtains the route (10.0.0.0,0) from Router A
and adds the metric 1 to the route to obtain its own route ((10.0.0.0,1), and the next hop points to Router A.
Figure 1-2
RIP selects an optimum route based on the following principle: If multiple routes to the same destination network is available,
a router preferentially selects the route with the smallest metric.
As shown in Figure 1-3, Router A is connected to the network 10.0.0.0. Router C obtains the route (10.0.0.0,0) from Router A
and the route (10.0.0.0,1) from Router B. Router C will select the route that is obtained from Router A and add metric 1 to this
route to form its own route (10.0.0.0,1), and the next hop points to Router A.
Configuration Guide Configuring RIP
Figure 1-3
When routes coming from different sources exist on a router, the route with the smallest distance is preferentially
selected.
Route Source Default Distance
Directly-connected network 0
Static route 1
OSPF route 110
RIP route 120
Unreachable route 255
Related Configuration
For a RIP route that is proactively discovered by a device, the default metric is equal to the number of hops from the local
network to the destination network. For a RIP router that is manually configured (default route or redistributed route), the
default metric is 1.
Run the offset-list in command to increase the metric of a received RIP route.
Run the offset-list out command to increase the metric of a sent RIP route.
Run the default-metric command to modify the default metric of a redistributed route.
Run the redistribute command to modify the metric of a route when the route is redistributed.
Run the default-information originate command to modify the metric of a default route when the default route is introduced.
Run the ip rip default-information command to modify the metric of a default route when the default route is created.
Configuration Guide Configuring RIP
Working Principle
Route Loop
A RIP route loop occurs due to inherent defects of the distance-vector algorithm.
As shown in Figure 1-4, Router A is connected to the network 10.0.0.0, and sends an update packet every 30s. Router B
receives the route 10.0.0.0 from Router A every 30s. If Router A is disconnected from 10.0.0.0, the route to 10.0.0.0 will be
deleted from the routing table on Router A. Next time, the update packet sent by Router A no longer contains this route. As
Router B does not receive an update packet related to 10.0.0.0, Router B determines that the route to 10.0.0.0 is valid within
180s and uses the Update packet to send this route to Router A. As the route to 10.0.0.0 does not exist on Router A, the
route learned from Router B is added to the routing table. Router B determines that data can reach 10.0.0.0 through Router A,
and Router A determines that data can reach 10.0.0.0 through Router B. In this way, a route loop is formed.
Figure 1-4
Split Horizon
Split horizon can prevent route loops. After split horizon is enabled on an interface, a route received on this interface will not
be sent out from this interface.
As shown in Figure 1-5, after split horizon is enabled on the interface between Router A and Router B, Router B will not send
the route 10.0.0.0 back to Router A. Router B will learn 180s later that 10.0.0.0 is not reachable.
Figure 1-5
Poison Reverse
Poison reverse can also prevent route loops. Compared with slit horizon, poison reverse is more reliable, but brings more
protocol packets, which makes network congestion more severe.
After poison reverse is enabled on an interface, a route received from this interface will be sent out from this interface again,
but the metric of this router will be changed to 16 (unreachable).
Configuration Guide Configuring RIP
As shown in Figure 1-6, after learning the route 10.0.0.0 from Router A, Router B sets the metric of this route to 16 and sends
the route back to Router A. After this route becomes invalid, Router B advertises the route 10.0.0.0 (metric = 16) to Router A
to accelerate the process of deleting the route from the routing table.
Figure 1-6
Related Configuration
Split Horizon
Poison Reverse
Run the ip rip split-horizon poisoned-reverse command to enable poison reverse. (After poison reverse is enabled, split
horizon is automatically disabled.)
Working Principle
Authentication
After authentication is enabled on an interface, the routing information cannot be exchanged between adjacent devices if
authentication fails. The authentication function is used to prevent unauthorized devices from accessing the RIP routing
domain.
When a RIP-enabled device receives an Update packet, it checks whether the source IP address in the packet and the IP
address of the inbound interface are in the same network segment. If not, the device drops the packet. Source address
verification is used to ensure that RIP routing information is exchanged only between adjacent routing devices.
Related Configuration
Authentication
Run the ip rip authentication mode text command to enable plain text authentication on an interface.
Run the ip rip authentication mode md5 command to enable MD5 authentication on an interface.
Run the ip rip authentication text-password command to set the password for plain text authentication on an interface.
Run the ip rip authentication key-chain command to reference the key in the configured key chain as the authentication
key on an interface.
Working Principle
GR
GR ensures uninterrupted data transmission when the protocol is restarted. If RIP is restarted on a GR-enabled device, the
forwarding table before restart will be retained and a request packet will be sent to the neighbor so that the route can be
learned again. During the GR period, RIP completes re-convergence of the route. After the GR period expires, RIP updates
the forwarding entry and advertises the routing table to the neighbor.
Related Configuration
GR
By default, GR is disabled.
1.4 Configuration
Notes
Configuration Steps
Mandatory.
Unless otherwise required, this configuration must be performed on every router in the RIP routing domain.
Mandatory.
Unless otherwise required, this configuration must be performed on every router in the RIP routing domain.
Unless otherwise required, the local network associated with RIP should cover network segments of all L3 interfaces.
If RIPv2 functions (such as the variable length subnet mask and authentication) are required, enable the RIPv2.
Unless otherwise required, you must define the same RIP version on every router.
Unless otherwise required, enable split horizon on every interface connected to the broadcast network, such as the
Ethernet. (Retain the default setting.)
Unless otherwise required, enable split horizon on every interface connected to the point-to-point (P2P) network, such
as the PPP and HDLC. (Retain the default setting.)
It is recommended that split horizon and poison reverse be disabled on an interface connected to a non-broadcast
multi-access (NBMA) network, such as FR and X.25; otherwise, some devices may fail to learn the complete routing
information.
If the secondary IP address is configured for an interface connected to a non-broadcast, it is recommended that split
horizon and poison reverse be disabled.
If you want to suppress Update packets on a RIP interface, configure the interface as a passive interface.
Use the passive interface to set the boundary of the RIP routing domain. The network segment of the passive interface
belongs to the RIP routing domain, but RIP packets cannot sent over the passive interface.
If RIP routes need to be exchanged on an interface (such as the router interconnect interface) in the RIP routing domain,
this interface cannot be configured as a passive interface.
Verification
Check the routing table on a router to verify that the route to a remote network can be obtained through RIP.
Related Commands
Configuration This command is used to create a RIP routing process and enter routing process configuration mode.
Usage
Command version { 1 | 2 }
Syntax
Parameter 1: Indicates RIPv1.
Description 2: Indicates RIPv2.
Command Global configuration mode
Mode
Configuration This command takes effect on the entire router. You can run this command to define the version of RIP
Usage packets sent or received on all interfaces.
Configuration Example
Scenario
Figure 1-7
A(config-router)# version 2
B
B# configure terminal
Configuration Guide Configuring RIP
B(config-router)# version 2
C
C# configure terminal
C(config-router)# version 2
C(config-router)#no auto-summary
Verification Check the routing tables on Router A, Router B, and Router C. Verify that RIP learns the routes to remote
networks (contents marked in blue).
A
A# show ip route
B
B# show ip route
C
C# show ip route
Configuration Guide Configuring RIP
Common Errors
The RIP version is not defined on a device, or the RIP version on the device is different from that on other routers.
The address range configured by the network command does not cover a specific interface.
The wildcard parameter in the network command is not correctly configured. 0 indicates accurate matching, and 1
indicates that no comparison is performed.
The interface used for interconnection between devices is configured as a passive interface.
Change the default running mechanism of RIP through configuration and manually control the interaction mode of RIP
packets, including:
Allowing or prohibiting the sending of unicast RIP packets to a specified neighbor on an interface
Allowing or prohibiting the sending of unicast RIPv2 packets instead of broadcast packets to a specified neighbor on an
interface
Notes
On an interface connecting to a neighbor device, the configured version of sent RIP packets must be the same as the
version of received RIP packets.
Configuration Steps
Configure this function if you wish that only some of devices connected to an interface can receive the updated routing
information.
By default, RIPv1 uses the IP broadcast address (255.255.255.255) to advertise the routing information, whereas
RIPv2 uses the multicast address (224.0.0.9) to advertise the routing information. If you do not wish all devices on the
broadcast network or NBMA network to receive routing information, configure the related interface as the passive
interface and specify the neighbors that can receive the routing information. This command does not affect the receiving
of RIP packets. RIPv2 packets are broadcast on an interface.
Unless otherwise required, this function must be enabled on a router that sends the unicast Update packets.
This function must be configured if the neighbor router does not support the receiving of multicast RIPv2 packets.
Unless otherwise required, this function must be configured on every router interface that broadcasts RIPv2 packets.
This function is enabled by default, and must be disabled if an interface is not allowed to receive RIP packets.
Unless otherwise required, this function must be configured on every router interface that is not allowed to receive RIP
packets.
This function is enabled by default, and must be disabled if an interface is not allowed to send RIP packets.
Unless otherwise required, this function must be configured on every router interface that is not allowed to send RIP
packets.
This function must be configured if the version of RIP packets that can be sent on an interface is required to be different
from the global configuration.
Unless otherwise required, this function must be configured on every router interface that is allowed to send RIP
packets of a specified version.
This function must be configured if the version of RIP packets that can be received on an interface is required to be
different from the global configuration.
Unless otherwise required, this function must be configured on every router interface that is allowed to receive RIP
packets of a specified version.
Verification
Run the debug ip rip packet command to verify the packet sending result and packet type.
Related Commands
Configuration Example
Verification Run the debug ip rip packet send command on Router A, and verify that packets cannot be sent.
A
A# debug ip rip packet recv
*Nov 4 08:19:31: %RIP-7-DEBUG: [RIP] Interface GigabitEthernet 0/1 is disabled to send RIP packet!
Common Errors
A compatibility error occurs because the RIP version configured on the neighbor is different from that configured on the local
device.
Enable the RIP triggered updates function, after which RIP does not periodically send the route update packets.
Notes
It is recommended that split horizon with poisoned reverse be enabled; otherwise, invalid routing information may exist.
Ensure that the triggered updates function is enabled on every router on the same link; otherwise, the routing
information cannot be exchanged properly.
Configuration Steps
This function must be enabled if demand circuits are configured on the WAN interface.
The triggered updates function can be enabled in either of the following cases: (1) The interface has only one neighbor;
(2) The interface has multiple neighbors but the device interacts with these neighbors in unicast mode.
It is recommended that triggered updates be enabled on a WAN interface (running the PPP, Frame Relay, or X.25 link
layer protocol) to meet the requirements of demand circuits.
If the triggered updates function is enabled on an interface, source address verification is performed no matter whether
the source address verification function is enabled by the validate-update-source command.
Unless otherwise required, triggered updates must be enabled on demand circuits of every router.
Verification
When the RIP triggered updates function is enabled, RIP cannot periodically send the route update packets. RIP sends the
route update packets to the WAN interface only in one of the following cases:
Related Commands
parameters to specify the retransmission interval and maximum retransmission times of the request and
update packets.
Configuration Example
Scenario
Figure 1-9
B
B# configure terminal
Verification On Router A and Router B, check the RIP database and verify that the corresponding routes are permanent.
A
A# sho ip rip database
201.1.1.0/24 auto-summary
201.1.1.0/24
B
B# sho ip rip database
200.1.1.0/24 auto-summary
200.1.1.0/24
Common Errors
The triggered updates function is enabled when the RIP configurations at both ends of the link are consistent.
The triggered updates function is not enabled on all routers on the same link.
The source address of the received RIP route update packet is verified.
Notes
Configuration Steps
This function is enabled by default, and must be disabled when source address verification is not required.
After split horizon is disabled on an interface, the RIP routing process will perform source address verification on the
Update packet no matter whether the validate-update-source command is executed in routing process configuration
mode.
For an IP unnumbered interface, the RIP routing process does not perform source address verification on the Update
packet no matter whether the validate-update-source command is executed in routing process configuration mode.
Unless otherwise required, this function must be disabled on every router that does not requires source address
verification.
Verification
Configuration Guide Configuring RIP
Only the route update packets coming from the same IP subnet neighbor are received.
Related Commands
Command validate-update-source
Syntax
Parameter N/A
Description
Command Routing process configuration mode
Mode
Configuration Source address verification of the Update packet is enabled by default. After this function is enabled, the
Usage source address of the RIP route update packet is verified. The purpose is to ensure that the RIP routing
process receives only the route update packets coming from the same IP subnet neighbor.
Configuration Example
Scenario
Figure 1-10
A(config-router)# no validate-update-source
B
B# configure terminal
B(config-router)# no validate-update-source
Verification On Router A, check the routing table and verify that the entry 201.1.1.0/24 is loaded.
On Router B, check the routing table and verify that the entry 200.1.1.0/24 is loaded.
A
A# show ip route rip
B
B# show ip route rip
Configuration Guide Configuring RIP
Scenario
Figure 1-10
A(config-router)# no validate-update-source
B
B# configure terminal
B(config-router)# no validate-update-source
Verification On Router A, check the routing table and verify that the entry 201.1.1.0/24 is loaded.
On Router B, check the routing table and verify that the entry 200.1.1.0/24 is loaded.
R 200.1.1.0/24 [120/1] via 192.168.1.1, 00:06:11, GigabitEthernet 0/1
Prevent learning unauthenticated and invalid routes and advertising valid routes to unauthorized devices, ensuring
stability of the system and protecting the system against intrusions.
Notes
Only RIPv2 supports authentication of RIP packets, and RIPv1 does not.
Configuration Steps
Enabling Authentication and Specifying the Key Chain Used for RIP Authentication
If the key chain is already specified in the interface configuration, run the key chain command in global configuration
mode to define the key chain; otherwise, authentication of RIP packets may fail.
Configuration Guide Configuring RIP
Unless otherwise required, this configuration must be performed on every router that requires authentication.
The RIP authentication modes configured on all devices that need to directly exchange RIP routing information must be
the same; otherwise, RIP packets may fail to be exchanged.
If plain text authentication is used, but the key chain for plain text authentication is not configured or associated,
authentication is not performed. Similarly, if MD5 authentication is used, but the key chain is not configured or
associated, authentication is not performed.
Unless otherwise required, this configuration must be performed on every router that requires authentication.
Enabling RIP Plain Text Authentication and Configuring the Key Chain
If RIP plain text authentication should be enabled, use this command to configure the key chain for plain text
authentication. Alternatively, you can obtain the key chain for plain text authentication by associating the key chain. The
key chain obtained using the second method takes precedence over that obtained using the first method.
Unless otherwise required, this configuration must be performed on every router that requires authentication.
Verification
RIP plain text authentication provides only limited security because the password transferred through the packet is
visible.
RIP MD5 authentication can provide higher security because the password transferred through the packet is encrypted
using the MD5 algorithm.
Routes can be learned properly if the correct authentication parameters are configured.
Related Commands
Enabling RIP Plain Text Authentication and Configuring the Key Chain
Configuration Example
Scenario
Figure 1-11
A(config-keychain)# key 1
A(config-keychain-key)# exit
A(config-keychain)# exit
B
B# configure terminal
B(config-keychain)# key 1
B(config-keychain-key)# exit
B(config-keychain)# exit
Verification On Router A, check the routing table and verify that the entry 201.1.1.0/24 is loaded.
On Router B, check the routing table and verify that the entry 200.1.1.0/24 is loaded.
A
A# show ip route rip
B
A# show ip route rip
Common Errors
The keys configured on routers that need to exchange RIP routing information are different.
The authentication modes configured on routers that need to exchange RIP routing information are different.
Reduce the size of the routing table, improve the routing efficiency, avoid route flapping to some extent, and improve
scalability and effectiveness of the network.
If a summarized route exists, subroutes included by the summarized route cannot be seen in the routing table, which
greatly reduces the size of the routing table.
Configuration Guide Configuring RIP
Advertising a summarized route is more efficient than advertising individual routes because: (1) A summarized route is
processed first when RIP looks through the database; (2) All subroutes are ignored when RIP looks through the
database, which reduces the processing time required.
Notes
The range of supernetting routes is larger than that of the classful network. Therefore, the automatic route
summarization function is invalid for supernetting routes.
RIPv1 always performs automatic route summarization. If the detailed routes should be advertised, you must set the
RIP version to RIPv2.
Configuration Steps
To learn specific subnet routes instead of summarized network routes, you must disable automatic route
summarization.
You can disable automatic route summarization only in RIPv2. RIPv1 always performs automatic route summarization.
The ip rip summary-address command is used to summarize an address or a subnet under a specified interface. RIP
automatically summarizes to the classful network boundary. Each classful subnet can be configured only in the ip rip
summary-address command.
The summary range configured in this command cannot be supernetting routes, that is, the configured subnet mask
length cannot be smaller than the natural mask length of the network.
Unless otherwise required, this configuration should be performed on a router that requires classful subnet
summarization.
Verification
Verify that the routes are summarized in the routing table of the peer end.
Related Commands
Command auto-summary
Syntax
Parameter N/A
Description
Configuration Guide Configuring RIP
Configuration Example
Scenario
Figure 1-12
B# configure terminal
B(config-router)# version 2
B(config-router)# no auto-summary
Verification Check the routing table on Router A, and verify that the entry 172.16.0.0/16 is generated.
Common Errors
Notes
Configuration Steps
If a supernetting route is detected when a RIPv1-enabled router monitors the RIPv2 route response packets, the router
will learn an incorrect route because RIPv1 ignores the subnet mask in the routing information of the packet. In this
case, the no form of the command must be used on the RIPv2-enabled router to prohibit advertisement of supernetting
routes on the related interface. This command takes effect only on the current interface.
The command is effective only when RIPv2 packets are sent on the interface, and is used to control the sending of
supernetting routes.
Verification
Verify that the peer router cannot learn the supernetting route.
Related Commands
Parameter N/A
Description
Command Interface configuration mode
Mode
Configuration By default, an interface is allowed to send RIP supernetting routes.
Usage
Configuration Example
Scenario
Figure 1-13
B# configure terminal
Verification Check the routing table on Router A, and verify that Router A can learn only the non-supernetting route
208.1.1.0/24, but not the supernetting route 207.0.0.0/8.
In the RIP domain, introduce a unicast route of another AS so that the unicast routing service to this AS can be provided
for users in the RIP domain.
Configuration Guide Configuring RIP
In the RIP domain, inject a default route to another AS so that the unicast routing service to this AS can be provided for
users in the RIP domain.
Notes
Route redistribution cannot introduce default routes of other protocols to the RIP routing domain.
Configuration Steps
This function must be enabled if it is required to advertise the default route to neighbors.
By default, a default route is not generated, and the metric of the default route is 1.
If the RIP process can generate a default route using this command, RIP does not learn the default route advertised by the
neighbor.
Unless otherwise required, this configuration should be performed on a router that needs to advertise the default route.
This function must be enabled if it is required to advertise the default route to neighbors on a specified interface.
By default, a default route is not configured and the metric of the default route is 1.
After this command is configured on an interface, a default route is generated and advertised through this interface.
Unless otherwise required, this configuration should be performed on a router that needs to advertise the default route.
By default,
If OSPF redistribution is configured, redistribute the routes of all sub-types of the OSPF process.
During route redistribution, it is not necessary to convert the metric of one routing protocol to the metric of another routing
protocol because different routing protocols use completely different metric measurement methods. RIP measures the metric
based on the hop count, and OSPF measures the metric based on the bandwidth. Therefore, the computed metrics cannot
be compared with each other. During route redistribution, however, it is necessary to configure a symbolic metric; otherwise,
route redistribution fails.
Unless otherwise required, this configuration should be performed on a router that needs to redistribute routes.
Verification
Configuration Guide Configuring RIP
On a neighbor device, verify that a default route exists in the RIP routing table.
On the local and neighbor devices, verify that external routes (routes to other ASs) exist in the RIP routing table.
Related Commands
Command redistribute { connected | ospf process-id | static } [ match { internal | external [ 1 | 2 ] | nssa-external
Syntax [ 1 | 2 ] } ] [ metric metric-value ] [ route-map route-map-name ]
Parameter connected: Indicates redistribution from direct routes.
Description ospf process-id: Indicates redistribution from OSPF. process-id indicates the OSPF process ID. The value
ranges from 1 to 65535.
static: Indicates redistribution from static routes.
match: Used only when OSPF routes are redistributed. Only the routes that match the filtering conditions
are redistributed.
metric metric-value: Sets the metric of the redistributed route. The value ranges from 1 to 16.
route-map route-map-name: Sets the redistribution filtering rules.
Command Routing process configuration mode
Mode
Configuration If you configure redistribution of OSPF routes without specifying the match parameter, OSPF routes of all
Usage sub-types can be distributed by default. The latest setting of the match parameter is used as the initial
match parameter. Only routes that match the sub-types can be redistributed. You can use the no form of
the command to restore the default value of match.
The configuration rules for the no form of the redistribute command are as follows:
1. If some parameters are specified in the no form of the command, default values of these parameters will
be restored.
2. If no parameter is specified in the no form of the command, the entire command will be deleted.
Configuration Example
Scenario
Figure 1-14
Verification On Router A, check the routing table and verify that the entry 172.10.10.0/24 is loaded.
Configuration Guide Configuring RIP
Routes that do not meet filtering criteria cannot be loaded to the routing table, or advertised to neighbors. In this way,
users within the network can be prevented from accessing specified destination networks.
Notes
In regard to the filtering rules of sent routes, you must configure route redistribution first, and then filter the redistributed
routes.
Configuration Steps
To refuse receiving some specified routes, you can configure the route distribution control list to process all the received
route update packets. If no interface is specified, route update packets received on all interfaces will be processed.
Unless otherwise required, this configuration should be performed on a router that requires route filtering.
This function must be configured if it is required to filter the redistributed routing information that is sent.
If this command does not contain any optional parameter, route update advertisement control takes effect on all
interfaces. If the command contains the interface parameter, route update advertisement control takes effect only on
the specified interface. If the command contains other routing process parameters, route update advertisement control
takes effect only on the specified routing process.
Unless otherwise required, this configuration should be performed on a router that requires route filtering.
Verification
Run the show ip route rip command to verify that the routes that have been filtered out are not loaded to the routing
table.
Related Commands
Parameter access-list-number | name: Specifies the access list. Only routes permitted by the access list can be
Description received.
prefix prefix-list-name: Uses the prefix list to filter routes.
gateway prefix-list-name: Uses the prefix list to filter the route sources.
interface-type interface-number: Indicates that the distribution list is applied to the specified interface.
Command Routing process configuration mode
Mode
Configuration N/A
Usage
Command distribute-list { [ access-list-number | name ] | prefix prefix-list-name } out [ interface | [connected] | ospf
Syntax process-id | rip | static ] ]
Parameter access-list-number | name: Specifies the access list. Only routes permitted by the access list can be sent.
Description prefix prefix-list-name: Uses the prefix list to filter routes.
Interface: Applies route update advertisement control only on the specified interface.
connected: Applies route update advertisement control only on direct routes introduced through
redistribution.
ospf process-id: Applies route update advertisement control only on the routes introduced from OSPF.
process-id specifies an OSPF process.
rip: Applies route update advertisement control only on RIP routes.
static: Applies route update advertisement control only on static routes introduced through redistribution.
Command Routing process configuration mode
Mode
Configuration N/A
Usage
Configuration Example
Scenario
Figure 1-15
Configuration Guide Configuring RIP
A(config-router)# no auto-summary
Verification On Router A, check the routing table and verify that only the entry 200.1.1.0/24 exists.
A
A# show ip route rip
Scenario
Figure 1-16
B(config-router)# version 2
Verification Check the routing table on Router A, and verify that route in the 200.1.1.0 network segment exists.
Configuration Guide Configuring RIP
A
A# show ip route rip
Common Errors
Filtering fails because the filtering rules of the access list are not properly configured.
Change the RIP routes to enable the traffic pass through specified nodes or avoid passing through specified nodes.
Change the sequence that a router selects various types of routes so as to change the priorities of RIP routes.
Notes
Configuration Steps
Optional.
This configuration is mandatory if you wish to change the priorities of RIP routes on a router that runs multiple unicast
routing protocols.
Optional.
Unless otherwise required, this configuration should be performed on a router where the metrics of routes need to be
adjusted.
Optional.
Unless otherwise required, this configuration must be performed on an ASBR to which external routes are introduced.
Verification
Run the show ip rip command to display the administrative distance currently configured. Run the show ip rip data
command to display the metrics of redistributed routes to verify that the configuration takes effect.
Related Commands
Syntax
Parameter distance: Sets the administrative distance of a RIP route. The value is an integer ranging from 1 to 255.
Description ip-address: Indicates the prefix of the source IP address of the route.
wildcard: Defines the IP address comparison bit. 0 indicates accurate matching, and 1 indicates that no
comparison is performed.
Command Routing process configuration mode
Mode
Configuration Run this command to configure the administrative distance of a RIP route.
Usage
Configuration Example
Scenario
Figure 1-17
A(config-router)# offset-list 8 in 7
Verification Check the routing table on Router A and Router B to verify that the metrics of RIP routes are 8.
A
A# show ip route rip
B
B# show ip route rip
Change the duration of RIP timers to accelerate or slow down the change of the protocol state or occurrence of an
event.
Notes
Modifying the protocol control parameters may result in protocol running failures. Therefore, you are advised not to
modify the timers.
Configuration Steps
Configuration Guide Configuring RIP
This configuration must be performed if you need to adjust the RIP timers.
By adjusting the timers, you can reduce the convergence time and fault rectification time of the routing protocol. For routers
connected to the same network, values of the three RIP timers must be the same. Generally, you are advised not to modify
the RIP timers unless otherwise required.
Setting timers to small values on a low-speed link brings risks because a lot of Update packets consume the bandwidth. You
can set timers to small values generally on the Ethernet or a 2 Mbps (or above) link to reduce the convergence time of
network routes.
Unless otherwise required, this configuration should be performed on a router where RIP timers need to be modified.
This configuration must be performed if you need to adjust the sending delay between RIP Update packets.
Run the output-delay command to increase the sending delay between packets on a high-speed device so that a low-speed
device can receive and process all Update packets.
Unless otherwise required, this configuration should be performed on a router where the sending delay needs to be adjusted.
Verification
Run the show ip rip command to display the current settings of RIP timers.
Related Commands
Usage
Configuration Example
Scenario
Figure 1-18
A(config-router)# output-delay 30
Verification Capture packets on Router A and compare the sending time of update packets before and after the
configuration, and verify that a delay of 30 ms is introduced.
Common Errors
For routers connected to the same network, values of the three RIP timers are not the same.
Configuration Guide Configuring RIP
1.4.12 Enabling GR
Configuration Effect
When a distributed route switches services from the active board to the standby board, traffic forwarding continues and
is not interrupted.
When the RIP process is being restarted, traffic forwarding continues and is not interrupted.
Notes
During the RIP GR process, ensure that the network environment is stable.
Configuration Steps
This configuration must be performed if RIP needs to be gracefully restarted to ensure data forwarding during hot standby
switchover.
The GR function is configured based on the RIP process. You can configure different parameters for different RIP processes
based on the actual conditions.
The GR period is the maximum time from restart of the RIP process to completion of GR. During this period, the forwarding
table before the restart is retained, and the RIP route is restored so as to restore the RIP state before the restart. After the
restart period expires, RIP exits from the GR state and performs common RIP operations.
Unless otherwise required, this configuration should be performed on every router that needs to be gracefully restarted.
Verification
Run the show ip rip command to display the GR state and configured time.
Trigger a hot standby switchover, and verify that data forwarding is not interrupted.
Related Commands
Configuration This command allows you to explicitly modify the GR period. Note that GR must be completed after the
Usage update timer of the RIP route expires and before the invalid timer of the RIP route expires. An inappropriate
GR period cannot ensure uninterrupted data forwarding during the GR process. A typical case is as follows:
If the GR period is longer than the duration of the invalid timer, GR is not completed when the invalid timer
expires. The route is not re-advertised to the neighbor, and forwarding of the route of the neighbor stops
after the invalid timer expires, causing interruption of data forwarding on the network. Unless otherwise
required, you are advised not to adjust the GR period. If it is necessary to adjust the GR period, ensure that
the GR period is longer than the duration of the update timer but shorter than the duration of the invalid timer
based on the configuration of the timers basic command.
Configuration Example
Scenario
Figure 1-19
B# configure terminal
Verification Trigger a hot standby switchover on Router B, and verify that the routing tables of destination Network
1 and Network 2 remain unchanged on Router A during the switchover.
Trigger a hot standby switchover on Router B, ping destination Network 1 from Router A, and verify
that traffic forwarding is not interrupted during the switchover.
Configuration Guide Configuring RIP
1.5 Monitoring
Displaying
Description Command
Displays the basic information about show ip rip
a RIP process.
Displays the RIP routing table. show ip rip database [ network-number network-mask ] [ count ]
Displays information about external
show ip rip external [ connected ] | ospf process-id | static]
routes redistributed by RIP.
Displays the RIP interface
show ip rip interface [ interface-type interface-number ]
information.
Displays the RIP neighbor
show ip rip peer [ ip-address ]
information.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs events that occur when the debug ip rip event
RIP process is running.
Debugs interaction with the NSM debug ip rip nsm
process.
Debugs the sent and received debug ip rip packet [ interface interface-type interface-number | recv | send ]
packets.
Debugs the RIP GR process. debug ip rip restart
Debugs the route changes of the RIP debug ip rip route
process.
Configuration Guide Configuring RIPng
2 Configuring RIPng
2.1 Overview
RIP next generation (RIPng) is a unicast routing protocol that applies to IPv6 networks. RIPng-enabled routers exchange
routing information to obtain routes to remote networks.
As an Interior Gateway Protocol (IGP), RIPng can run only within the autonomous system (AS) and is applicable to
small-sized networks with routes no more than 16 hops.
2.2 Application
RIPng is generally used on some small-sized networks, such as office networks of small companies.
As shown in the following figure, the company builds an IPv6 network, on which all routers support IPv6. The network is small
in size, but the workload is still heavy if the network is maintained manually. In this case, RIPng can be configured to adapt to
topological changes of the small-sized network, which reduces the workload.
Figure 2-1
2.3 Features
Basic Concepts
Feature
Feature Description
RIPng and RIP RIPng is an extension of RIPv2 on the basis of IPv6. Both are similar in functions and configurations.
Exchanging Routing By exchanging routing information, RIPng-enabled devices can automatically obtain routes to a
Information remote network and update routes in real time.
Routing Algorithm RIPng is a protocol based on the distance-vector algorithm. It uses the vector addition method to
compute the routing information.
Avoiding Route RIPng uses functions, such as split horizon and poison reverse, to avoid route loops.
Loops
Working Principle
RIPv2
RIPv2 packets are multicast. The multicast address is 224.0.0.9, and the UDP port ID is 520. RIPv2 can identify the subnet
mask.
RIPng
RIPng packets are multicast. The multicast address is FF02::9, the source address is FE80::/10, and the UDP port ID is 521.
RIPng can identify the subnet mask.
This chapter describes functions and configurations of RIPng. For details about RIPv2, see "Configuring RIP".
Related Configuration
Working Principle
Initialization
After RIPng is enabled on a router, the router sends a request packet to its neighbor router, requesting for all routing
information, that is, the routing table. After receiving the request message, the neighbor router returns a response packet
containing the local routing table. After receiving the response packet, the router updates the local routing table, and sends
an update packet to the neighbor router, informing the neighbor router of the route update information. After receiving the
update packet, the neighbor router updates the local routing table, and sends the update packet to other adjacent routers.
After a series of updates, all routers can obtain and retain the latest routing information.
Periodical Update
By default, periodical update is enabled for RIPng. Adjacent routers exchange complete routing information with each other
every 30s (update timer), that is, the entire routing table is sent to neighbor routers.
For every non-local route, if the route is not updated within 180s (invalid timer), the metric of the route is changed to 16
(unreachable). If the route is still not updated in the next 120s (flush timer), the route is deleted from the routing table.
Default Route
In the routing table, a route to the destination network ::/0 is called default route.
The default route can be learned from a neighbor router, or sent to a neighbor router.
Route Redistribution
For RIPng, other types of routes (such as direct routes, static routes, and routes of other routing protocols) are called
external routes.
External routes (excluding the default route) can be redistributed to RIPng and advertised to neighbors.
Route Filtering
Filtering conditions can be configured to limit the routing information exchanged between adjacent routers. Only the routing
information that meets filtering conditions can be sent or received.
Related Configuration
RIPng Timers
By default, the update timer is 30s, the invalid timer is 180s, and the flush timer is 120s.
Configuration Guide Configuring RIPng
Default Route
Run the ipv6 rip default-information command to advertise the default route to neighbors on an interface.
Route Redistribution
Run the redistribute command to redistribute external routes (excluding the default route) to RIPng and advertise them to
neighbors.
Route Filtering
Run the distribute-list out command to set filtering rules to limit the routing information sent by the device.
Run the distribute-list in command to set filtering rules to limit the routing information received by the device.
Working Principle
Distance-Vector Algorithm
RIPng is a protocol based on the distance-vector algorithm. The distance-vector algorithm treats a route as a vector that
consists of the destination network and distance (metric). The router obtains a route from its neighbor and adds the distance
vector from itself to the neighbor to the route to form its own route.
RIPng uses the hop count to evaluate the distance (metric) to the destination network. By default, the hop count from a router
to its directly connected network is 0, the hop count from a router to a network that can be reached through a router is 1, and
so on. That is, the metric is equal to the number of routers from the local network to the destination network. To restrict the
convergence time, RIPng stipulates that the metric must be an integer between 0 and 15. If the metric is equal to or greater
than 16, the destination network or host is unreachable. For this reason, RIPng cannot be applied to a large-scale network.
As shown in the following figure, Router A is connected to the network 2::/64. Router B obtains the route (2::/64, 0) from
Router A and adds the metric 1 to the route to obtain its own route (2::/64, 1), and the next hop points to Router A.
Figure 2-2
Configuration Guide Configuring RIPng
RIPng selects an optimum route based on the following principle: If multiple routes to the same destination network is
available, a router preferentially selects the route with the smallest metric.
As shown in the following figure, Router A is connected to the network 2::/64. Router C obtains the route (2::/64, 0) from
Router A and the route (2::/64, 1) from Router B. Router C will select the route that is obtained from Router A and add metric
1 to this route to form its own route (2::/64, 1), and the next hop points to Router A.
Figure 2-3
When routes coming from different sources exist on a router, the route with the smaller distance is preferentially
selected.
Route Source Default Distance
Directly-connected network 0
Static route 1
OSPF route 110
RIPng route 120
Unreachable route 255
Related Configuration
For a RIPng route that is proactively discovered by a device, the default metric is equal to the number of hops from the local
network to the destination network. The metric offset of the interface is 1.
For a RIPng router that is manually configured (default route or redistributed route), the default metric is 1.
Run the ipv6 rip metric-offset command to modify the metric offset of the interface.
Run the default-metric command to modify the default metric of an external route (redistributed route).
Run the redistribute command to modify the metric of an external route (redistributed route) when advertising this route.
Run the ipv6 rip default-information command to modify the metric of a default route when advertising the default route.
Working Principle
Route Loop
A RIPng route loop occurs due to inherent defects of the distance-vector algorithm.
As shown in the following figure, Router A is connected to the network 2::/64, and sends an update packet every 30s. Router
B receives the route to 2::/64 from Router A every 30s. If Router A is disconnected from 2::/64, the route to 2::/64 will be
deleted from the routing table on Router A. Next time, the update packet sent by Router A no longer contains this route. As
Router B does not receive an update packet related to 2::/64, Router B determines that the route to 2::/64 is valid within 180s
and uses the update packet to send this route to Router A. As the route to 2::/64 does not exist on Router A, the route
learned from Router B is added to the routing table. Router B determines that data can reach 2::/64 through Router A, and
Router A determines that data can reach 2::/64 through Router B. In this way, a route loop is formed.
Figure 2-4
Split Horizon
Split horizon can prevent route loops. After split horizon is enabled, a route received on this interface will not be sent out from
this interface.
Configuration Guide Configuring RIPng
As shown in the following figure, after split horizon is enabled on Router B, Router B will not send the route to 2::/64 back to
Router A. Router B will learn 180s later that 2::/64 is not reachable.
Figure 2-5
Poison Reverse
Poison reverse can also prevent route loops. Compared with slit horizon, poison reverse is more reliable, but brings more
protocol packets, which makes network congestion more severe.
After poison reverse is enabled on an interface, a route received from this interface will be sent out from this interface again,
but the metric of this router will be changed to 16 (unreachable).
As shown in the following figure, after poison reverse is enabled on Router A, if Route A detects a disconnection from 2::/64,
Router A will not delete the route to 2::/64. Instead, Router A changes the number of hops to 16, and advertises the route
through the update packet. On receiving the update packet, Router B learns that 2::/64 is not reachable.
Figure 2-6
Related Configuration
Split Horizon
Poison Reverse
2.4 Configuration
Notes
Configuration Steps
Mandatory.
Unless otherwise required, perform this configuration on every router in the RIPng routing domain.
Mandatory.
Unless otherwise required, perform this configuration on every interconnected interface of routers in the RIPng routing
domain.
Verification
Check the routing table on a router to verify that the route to a remote network can be obtained through RIPng.
Related Commands
Parameter N/A
Description
Command Interface configuration mode
Mode
Usage Guide The configuration for running the RIPng on an interface is different from that of RIPv2. In RIPv2, the
network command is configured in routing process configuration mode to define an IP address range. If the
IP address of an interface belongs to this IP address range, RIP automatically runs on this interface.
Configuration Example
Scenario
Figure 2-7
A(config-router)# exit
B
B# configure terminal
B(config-router)# exit
C
C# configure terminal
C(config-router)# exit
C(config-if-GigabitEthernet 0/0)#
Configuration Guide Configuring RIPng
Verification Check the routing tables on Router A, Router B, and Router C. The routing tables should contain routes to a
remote network that are learned through RIPng.
A
A# show ipv6 route
IA - Inter area
B
B# show ipv6 route
IA - Inter area
C
Ruijie# show ipv6 route
IA - Inter area
The 29 series switch does not support ISIS or BGP. The configuration example is only for reference.
Common Errors
The interface used for interconnection between devices is configured as a passive interface.
Configuration Guide Configuring RIPng
In the RIPng domain, introduce a unicast route of another AS so that the unicast routing service to this AS can be
provided for users in the RIPng domain.
In the RIPng domain, inject a default route to another AS so that the unicast routing service to this AS can be provided
for users in the RIPng domain.
Notes
Configuration Steps
Optional.
Perform this configuration if external routes of the RIPng domain should be introduced to the AS border router (ASBR).
Optional.
Perform this configuration if the default route should be introduced to an ASBR so that other routers in the RIPng
domain access other AS domains through this ASBR by default.
Verification
Run the show ipv6 route rip command on a non-ASBR to check whether the external routes of the domain and default
route have been loaded.
Related Commands
Command redistribute { connected | ospf process-id | static } [ metric metric-value | route-map route-map-name ]
Parameter Connected: Indicates redistribution from direct routes.
Description ospf process-id: Indicates redistribution from OSPF. process-id indicates the OSPF process ID. The value
ranges from 1 to 65535.
static: Indicates redistribution from static routes.
metric metric-value: Sets the metric of the route redistributed to the RIPng domain.
route-map route-map-name: Sets the redistribution filtering rules.
Command Routing process configuration mode
Mode
Usage Guide During route redistribution, it is not necessary to convert the metric of one routing protocol to the metric of
another routing protocol because different routing protocols use completely different metric measurement
methods. RIP measures the metric based on the hop count, and OSPF measures the metric based on the
bandwidth. Therefore, the computed metrics cannot be compared with each other.
Configuration Example
Scenario
Figure 2-8
B
B# configure terminal
Verification Check the routing tables on Router A and Router B, and confirm that Router A can learn the route
3001:10:10::/64, and Router B can learn the default route ::/0.
Configuration Guide Configuring RIPng
A
A# show ipv6 route rip
IA - Inter area
B
B# show ipv6 route rip
IA - Inter area
The 29 series switch does not support ISIS or BGP. The configuration example is only for reference.
Routes that do not meet filtering criteria cannot be loaded to the routing table, or advertised to neighbors. In this way,
users within the network can be prevented from accessing specified destination networks.
Notes
Configuration Steps
To refuse receiving some specified routes, you can configure the route distribution control list to process all the received
route update packets. If no interface is specified, route update packets received on all interfaces will be processed.
If this command does not contain any optional parameter, route update advertisement control takes effect on all
interfaces. If the command contains the interface parameter, route update advertisement control takes effect only on
the specified interface. If the command contains other routing process parameters, route update advertisement control
takes effect only on the specified routing process.
Verification
Run the show ipv6 route rip command to check that the routes that have been filtered out are not loaded to the routing
table.
Related Commands
Configuration Example
Scenario
Figure 2-9
Verification Check that Router A can learn only the route to 4001::/64.
Configuration Guide Configuring RIPng
A
A# show ipv6 route rip
IA - Inter area
Change the RIPng routes to enable the traffic pass through specified nodes or avoid passing through specified nodes.
Change the sequence that a router selects various types of routes so as to change the priorities of RIPng routes.
Notes
Configuration Steps
Optional.
Perform this configuration if you wish to change the priorities of RIPng routes on a router that runs multiple unicast
routing protocols.
Optional.
Unless otherwise required, perform this configuration on a router where the metrics of routes need to be adjusted.
Optional.
Unless otherwise required, perform this configuration on an ASBR to which external routes are introduced.
Verification
Run the show ipv6 rip command to display the administrative distance of RIPng routes.
Run the show ipv6 rip data command to display the metrics of external routes redistributed to RIPng.
Configuration Guide Configuring RIPng
Related Commands
Configuration Example
Scenario
Figure 2-10
Configuration Guide Configuring RIPng
A# configure terminal
Verification On Router A, check whether the administrative distance of a RIPng route is 160.
Change the duration of RIPng timers to accelerate or slow down the change of the protocol state or occurrence of an
event.
Notes
Modifying the protocol control parameters may result in protocol running failures. Therefore, you are advised not to
modify the timers.
Configuration Steps
Mandatory.
Unless otherwise required, perform this configuration on a router where RIPng timers need to be modified.
Verification
Related Commands
updated. The duration of the invalid timer must be at least three times the duration of the update timer. If no
update packet is received before the invalid timer expires, the corresponding route enters the invalid state. If
the update packet is received before the invalid timer expires, the timer is reset. The default duration of the
invalid timer is 180s.
Flush: Indicates the route flushing time in second, counted from the time when the RIPng route enters the
invalid state. When the flush timer expires, the route in the invalid state will be deleted from the routing table.
The default duration of the flush timer is 120s.
Command Routing process configuration mode
Mode
Usage Guide By default, the update timer is 30s, the invalid timer is 180s, and the flush timer is 120s.
Configuration Example
Scenario
Figure 2-11
B(config-router)# timers 10 30 90
B
B# show ipv6 rip
Outgoing update filter list for all interface is: not set
Incoming update filter list for all interface is: not set
Redistribution:
GigabitEthernet 0/1 1 1
Common Errors
Settings of RIPng timers on devices connected to the same network are inconsistent. Consequently, routes cannot be
learned properly.
2.5 Monitoring
Displaying
Description Command
Displays information about the RIPng show ipv6 rip
process.
Displays the RIPng routing table. show ipv6 rip database
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs RIPng. debug ipv6 rip [interface interface-type interface-num | nsm | restart
Configuration Guide Managing Routes
3 Managing Routes
3.1 Overview
The network service module (NSM) manages the routing table, consolidates routes sent by various routing protocols, and
selects and sends preferred routes to the routing table. Routes discovered by various routing protocols are stored in the
routing table. These routes are generally classified by source into three types:
Direct route: It is the route discovered by a link-layer protocol and is also called interface route.
Static route: It is manually configured by the network administrator. A static route is easy to configure and less
demanding on the system, and therefore applicable to a small-sized network that is stable and has a simple topology.
However, when the network topology changes, the static route must be manually reconfigured and cannot automatically
adapt to the topological changes.
3.2 Applications
Application Description
Basic Functions of the Static Route Manually configure a route.
Floating Static Route Configure a standby route in the multipath scenario.
Load Balancing Static Route Configure load balancing static routes in the multipath scenario.
On a network with a simple topology, you can configure only static routes to implement network interworking. Appropriate
configuration and use of static routes can improve the network performance and guarantee the bandwidth for important
network applications.
As shown in Figure 3-1, to implement interworking between PC 1, PC 2, and PC 3, you can configure static routes on R 1, R
2, and R 3.
On R 1, configure a route to the network segment of PC 2 through R 2, and a route to the network segment of PC 3
through R 3.
On R 2, configure a route to the network segment of PC 1 through R 1, and a route to the network segment of PC 3
through R 3.
On R 3, configure a route to the network segment of PC 1 through R 1, and a route to the network segment of PC 2
through R 2.
Figure 3-1
Configuration Guide Managing Routes
Deployment
If no dynamic routing protocol is configured, you can configure floating static routes to implement dynamic switching of routes
to prevent communication interruption caused by the network connection failures.
As shown in Figure , to prevent communication interruption caused by a line failure between R 1 and R 3, you can configure
a floating static route respectively on R 1 and R 3. Normally, packets are forwarded on a path with a small administrative
distance. If a link on this path is down, the route is automatically switched to the path with a large administrative distance.
On R1, configure two routes to the network segment of PC 3, including a route through R 3 (default distance = 1) and a
route through R 2 (default distance = 2).
On R 3, configure two routes to the network segment of PC 1, including a route through R 1 (default distance = 1) and a
route through R 2 (default distance = 2).
Configuration Guide Managing Routes
Figure 3-2
Deployment
If there are multiple paths to the same destination, you can configure load balancing routes. Unlike floating routes, the
administrative distances of load balancingroutes are the same. Packets are distributed among these routes based on the
balanced forwarding policy.
As shown in Figure , load balancing routes are configured respectively on R 1 and R 3 so that packets sent to the network
segment of PC 3 or PC 1 are balanced between two routes, including a route through R 2 and a route through R 4.
On R 1, configure two routes to the network segment of PC 3, including a route through R 2 and a route through R 4.
On R 3, configure two routes to the network segment of PC 1, including a route through R 2 and a route through R 4.
Configuration Guide Managing Routes
Figure 3-3
Remarks On the switch, the load is balanced based on the source IP address by default. Run the aggregateport
load-balance command to configure the load balancing mode of ECMP route.
Deployment
3.3 Features
Feature Description
Route Computation Generate a valid route on a device.
Optimal Route Select an optimal route to forward packets.
Selection
Default Route Forward all packets and help reduce the size of a routing table.
Route Reliability Quickly detect a route failure and recover communication.
Routing functions are classified into IPv4 and IPv6 routing functions. If the routing functionsare disabled, a device is
equivalent to a host and cannot forward routes.
Dynamic Route
A dynamic routing protocol learns remote routes and dynamically updates routes by exchanging routes with neighbors. If a
neighbor is the next hop of a route and this neighbor fails, the route fails as well.
Static Route
Configuration Guide Managing Routes
On a network with a simple topology, you can configure only static routes to implement network interworking. Appropriate
configuration and use of static routes can improve the network performance and guarantee the bandwidth for important
network applications.
Whether a static route is active is computed based on the status of the local interface. When the exit interface of a static route
is located at layer 3 (L3) and is in Up status (the link status is Up and the IP address is configured), this route is active and
can be used for packet forwarding.
When multiple routing protocols generate routes to the same destination, the priorities of these routes can be determined
based on the administrative distance. A smaller administrative distance indicates a higher priority.
Equal-Cost Route
If multiple routes to the same destination have different next hops but the same administrative distance, these routes are
mutually equal-cost routes. Packets are distributed among these routes to implement load balancing based on the balanced
forwarding policy.
On a specific device, the total number of equal-cost routes is limited. Routes beyond the limit do not participate in packet
forwarding.
Floating Route
If multiple routes to the same destination have different next hops and different administrative distances, these routes are
mutually floating routes. The route with the smallest administrative distance will be first selected for packet forwarding. If this
route fails, a route with a larger administrative distance is further selected for forwarding, thus preventing communication
interruption caused by a network line failure.
Default Gateway
On a L3 switch, a static route with the network segment 0.0.0.0 and the subnet mask 0.0.0.0 is configured to generate the
default route.
Default Network
Configuration Guide Managing Routes
The default network is configured to generate a default route. If the ip default-network command is configured to specify a
network (a classful network, such as a Class A, B, or C network), and this network exists in the routing table, the router will
use this network as the default network and the next hop of this network is the default gateway. As the network specified by
the ip default-network command is a classful one, if this command is used to identify a subnet in a classful network, the
router automatically generates a static route of the classful network instead of any default route.
3.4 Configuration
(Optional) It is used to limit the number of equal-cost routes and number of static routes,
or disable routing.
Generate a static route in the routing table. Use the static route to forward packets to a remote network.
Notes
If the no ip routing command is configured on a L3 switch, you cannot configure IPv4 static routes on this switch, and
existing IPv4 static routes will also be deleted. Before the device is restarted, reconfiguring the ip routing command
can recover the deleted IPv4 static routes. After the device is restarted, deleted IPv4 static routes cannot be recovered.
If the no ipv6 unicast- routing command is configured on a L3 switch, you cannot configure IPv6 static routes on this
switch, and existing IPv6 static routes will also be deleted. Before the device is restarted, reconfiguring the ipv6
unicast- routing command can recover the deleted IPv6 static routes. After the device is restarted, deleted IPv6 static
routes cannot be recovered.
Configuration Steps
Command ip route networknet-mask {ip-address | interface [ip-address]} [distance] [tag tag] [permanent [weight
number] [descriptiondescription-text] [disabled | enabled]
Parameter network Indicates the address of the destination network.
Description net-mask Indicates the mask of the destination network.
ip-address (Optional) Indicates the next-hop address of the static route. You must specify at least
one of ip-address and interface, or both of them. If ip-address is not specified, a static
direct route is configured.
interface (Optional) Indicates the next-hop exit interface of the static route. You must specify at
least one of ip-address and interface, or both of them. If interface is not specified, a
recursive static direct route is configured. The exit interface is obtained by the next hop
in the routing table.
distance (Optional) Indicates the administrative distance of the static route. The administrative
distance is 1 by default.
tag (Optional) Indicates the tag of the static route. The tag is 0 by default.
permanent (Optional) Indicates the flag of the permanent route. The static route is not a permanent
route by default.
weight number (Optional) Indicates the weight of the static route. The weight is 1 by default.
Configuration Guide Managing Routes
descriptiondescri (Optional) Indicates the description of the static route. By default, no description is
ption-text configured. description-text is a string of one to 60 characters.
disabled/enabled (Optional) Indicates the enable flag of the static route. The flag is enabled by default.
Defaults By default, no static route is configured.
Command Global configuration mode
Mode
Usage Guide The simplest configuration of this command is ip route networknet-maskip-address.
Verification
Configuration Guide Managing Routes
Run the show ip route command to display the IPv4 routing table and check whether the configured IPv4 static route
takes effect.
Run the show ipv6 route command to display the IPv6 routing table and check whether the configured IPv6 static route
takes effect.
Configuration Example
Scenario
Figure 3-4
R2
R2#configure terminal
R3
R3#configure terminal
R2
R2#configure terminal
R3
R3#configure terminal
R2
R2# show ip route
R3
R3# show ip route
Scenario
Figure 3-5
R2
R2#configure terminal
R2
R2#configure terminal
IA - Inter area
R2
R2# show ipv6 route
IA - Inter area
Common Errors
Generate a default route in the routing table. The default route is used to forward packets that cannot be forwarded by
other routes.
Notes
On a L2 switch, run the ip default gateway or ipv6 default gateway command to configure the default gateway.
Configuration Guide Managing Routes
On a L3 switch, run the ip route 0.0.0.0 0.0.0.0 gatewayor ipv6 route ::/0 ipv6-gatewaycommand to configure the
default gateway.
If the no ip routing or no ipv6 unicast- routing command is configured on a L3 switch, you can run the ip default
gateway or ipv6 default gateway command to configure the default gateway.
Configuration Steps
Command ip route 0.0.0.00.0.0.0{ ip-address | interface [ip-address]} [distance] [tag tag] [permanent ] [weight
number] [description description-text] [disabled | enabled]
Parameter 0.0.0.0 Indicates the address of the destination network.
Description 0.0.0.0 Indicates the mask of the destination network.
ip-address (Optional) Indicates the next-hop address of the static route. You must specify at least
one of ip-address and interface, or both of them. If ip-address is not specified, a static
direct route is configured.
interface (Optional) Indicates the next-hop exit interface of the static route. You must specify at
least one of ip-address and interface, or both of them. If interface is not specified, a
recursive static direct route is configured. The exit interface is obtained by the next
hop in the routing table.
distance (Optional) Indicates the administrative distance of the static route. The administrative
distance is 1 by default.
tag (Optional) Indicates the tag of the static route. The tag is 0 by default.
permanent (Optional) Indicates the flag of the permanent route. The static route is not a
Configuration Guide Managing Routes
Parameter network Indicates the address of the network. (The network must be a Class A, B, or C network.)
Description
Defaults By default, no default network is configured.
Command Global configuration mode
Mode
Usage Guide If the network specified by the ip default-network command exists, a default route is generated and the
next hop to this network is the default gateway. If the network specified by the ip default-network command
does not exist, the default route is not generated.
Verification
On a L2 switch (or a L3 switch where routing is disabled), run the show ip redirects or show ipv6 redirects command
to display the default gateway.
On a L3 switch where routing is enabled, run the show ip route or show ipv6 route command to display the default
route.
Configuration Example
Scenario
Figure 3-6
R2
R2#configure terminal
R1#configure terminal
R2#configure terminal
R2
R2(config)#ip route 0.0.0.0 0.0.0.0 GigabitEthernet 0/1 1.1.12.1
The XS-S1960-H series switch does not support ISIS or BGP. The configuration example is only for
reference.
Limit the number of equal-cost routes and number of static routes, or disable routing.
Configuration Guide Managing Routes
Notes
Configuration Steps
Command no ip routing
Parameter N/A
Description
Configuration Guide Managing Routes
3.5 Monitoring
Displaying
Description Command
Displays the IPv4 routing table. show ip route
Displays the IPv6 routing table. show ipv6route
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs IPv4 route management. debug nsm kernel ucast- v4
Debugs IPv6 route management. debug nsm kernel ucast-v6
Debugs default network debug nsm kernel default-network
management.
Debugs internal events of route debug nsm events
management.
Debugs sending of route debug nsm packet send
management and routing protocol
messages.
Debugs receiving of route debug nsm packet recv
Configuration Guide Managing Routes
4 Configuring Keys
4.1 Overview
Keys are a kind of parameters that are used in algorithms for conversion from plain text to cipher text or from cipher text to
plain text.
Plain text and cipher text authentication are supported for packet authentication in a routing protocol, during which keys need
to be used.
At present, keys are used only for RIP and ISIS packet authentication.
4.2 Applications
Application Description
RIP Authentication RIP uses keys for packet authentication.
Network devices run RIP and use the MD5 authentication mode to increase the protocol security.
Figure 4-1
Deployment
Configure a key chain on A. Configure RIP to enable packet authentication and use the key chain.
Configure a key chain on B. Configure RIP to enable packet authentication and use the key chain.
4.3 Features
Overview
Configuration Guide Configuring Keys
Feature Description
Key Chain Provide a tool for authentication in a routing protocol.
A key chain may contain multiple different keys. Each key contains the following attributes:
Key ID: Identifies a key. In the current key chain, keys and IDs are mapped in the one-to-one manner.
Authentication string: Indicates a set of key characters used for verifying the consistency of authentication strings in a
routing protocol.
Lifetime: Specifies the lifetime of the current key for sending or receiving packets. Different authentication keys can be
used in different periods.
Related Configuration
In the global configuration mode, run the key chain key-chain-name command to define a key chain and enter the key chain
configuration mode.
In the key chain configuration mode, run the key key-id command to define a key and enter the key chain key configuration
mode.
In the key chain key configuration mode, run the key-string [0|7] text command to specify an authentication string.
A plain text authentication string is configured by default. The value 0 indicates that a plain text authentication key is
configured.
The encryption authentication service is disabled by default. You can run the service password-encryption command
to enable the encryption service to forcibly convert plain text authentication into cipher text.
Configuring Lifetime
In the key chain key configuration mode, you can configure the lifetime of a key chain in the receiving and sending directions.
accept-lifetime start-time { infinite | end-time | duration seconds }: Configures the lifetime of a key chain in the
receiving direction.
send-lifetime start-time { infinite | end-time | duration seconds }: Configures the lifetime of a key chain in the sending
direction.
4.4 Configuration
Notes
A key chain can take effect only after it is associated with a routing protocol.
Configuration Steps
If there is no special requirement, you should perform this configuration on all routers for which routing protocol
authentication needs to be performed.
Configuring a Key ID
If there is no special requirement, you should perform this configuration on all routers for which routing protocol
authentication needs to be performed.
If there is no special requirement, you should perform this configuration on all routers for which routing protocol
authentication needs to be performed.
Optional.
If the lifetime in the sending direction is not configured, the key chain will be always effective.
Optional.
Configuration Guide Configuring Keys
If the lifetime in the sending direction is not configured, the key chain will be always effective.
Verification
Use keys in a routing protocol and observe the neighborship established by the routing protocol. If the keys are
inconsistent, the neighborship fails to be established.
Related Commands
Configuring a Key ID
Mode
Usage Guide Run this command to define the lifetime of the key in the sending direction.
Configuration Example
Configuring a Key Chain and Using the Key Chain in RIP Packet Authentication
Scenario
Figure 4-2
A#configure terminal
A(config-keychain)#key 1
A(config-keychain-key)#key-string Hello
A(config-keychain-key)#exit
A(config-keychain)#key 2
Configuration Guide Configuring Keys
A(config-keychain-key)#key-string World
A(config-keychain-key)#exit
A(config-if)#exit
A(config)#router rip
A(config-router)#version 2
A(config-router)#network 192.168.27.0
B
B>enable
B#configure terminal
B(config-keychain)#key 1
B(config-keychain-key)#key-string Hello
B(config-keychain-key)#exit
B(config-keychain)#key 2
B(config-keychain-key)#key-string World
B(config-keychain-key)#exit
B(config-if)#exit
B(config)#router rip
Configuration Guide Configuring Keys
B(config-router)#version 2
B(config-router)#network 192.168.27.0
B(config-router)#redistribute static
Verification Run the show ip route rip command to check whether router A can receive an RIP route from router B.
A
A(config)#show ip route rip
Common Errors
A key is not correctly associated with a routing protocol, which causes that authentication does not take effect.
The keys configured on multiple routers are not consistent, which causes authentication failure.
4.5 Monitoring
Displaying
Description Command
Displays the configurations of a key show key chain [ key-chain-name ]
chain.
Configuration Guide Configuring Routing Policies
5.1 Overview
Routing policies are a policy set for changing the packet forwarding path or routing information and are often implemented by
a filtering list and a route map. Routing policies are flexibly and widely applied in the following methods:
Use a route map in a routing protocol to filter or modify routing information. Where, the route map can further use a
filtering list.
Use a route map in policy-based routing (PBR) to control packet forwarding or modify packet fields.
5.2 Applications
Application Description
Route Filtering Use a filtering list in a routing protocol to filter the routing information sent or received by the
protocol.
Route Re-distribution Use a route map in a routing protocol to filter or modify routing information and re-distribute
RIP routes to OSPF. Only RIP routes with 4 hops can be re-distributed.
Scenario
Figure 5-1
As shown in Figure 5-1, router A has routes to 3 networks: 10.0.0.0, 20.0.0.0 and 30.0.0.0.
Configure a filtering list on the routers to achieve the following purposes:
Filter the sent routing information on router A to filter routes that router A does not need to send.
Filter the received routing information on router B to filter routes that router B does not need to learn.
Configuration Guide Configuring Routing Policies
Deployment
Filter the received routing information 20.0.0.0 on router B to ensure that router B learns only routing information
10.0.0.0.
Specify the range for re-distributing routes and re-distribute only routing information that meets certain rules.
Scenario
Figure 5-2
As shown in Figure 5-2, configure route re-distribution on the devices to achieve the following purposes:
In the OSPF routing domain, the initial metric of this route is 40, the route type is the external route type-1 and the route
tag value is set to 40.
Deployment
Configure a route with 4 hops in the route map rip_to_ospf: match, and set the initial metric of this route to 40, the route
type to the external route type-1 and the route tag value to 40.
Configure route re-distribution to re-distribute RIP routes to OSPF and use the route map rip_to_ospf.
5.3 Features
Overview
Feature Description
Filtering List Define a group of lists based on a route attribute, which can be used by a routing protocol for
route filtering.
Route Map A policy defines "if certain conditions are matched, you can perform certain processing actions".
Configuration Guide Configuring Routing Policies
Working Principle
Based on different routing attributes, filtering lists are classified into the following types:
ACLs comprise IPv4 and IPv6 ACLs. When defining ACLs, you can specify IPv4/IPv6 addresses and masks to match the
destination network segment or next-hop addresses of routing information.
Similar to ACLs, prefix-lists, including IPv4 prefix-lists and IPv6 prefix-lists, are used to match destination network segments
of routing information during route filtering.
Related Configuration
Creating an ACL
In the global configuration mode, run the ip access-list { extended | standard } { id | name } command to create an IPv4
ACL.
You can set multiple policies in an ACL, sorted by their sequence numbers. Policies have two working modes: permit and
deny.
Creating a Prefix-List
In the global configuration mode, run the ip prefix-list prefix-list-name [ seq seq-number ] { deny | permit } ip-prefix [ ge
minimum-prefix-length ] [ le maximum-prefix-length ] command to create an IPv4 prefix-list and add a prefix entry to the list.
You can set multiple entries in the prefix-list, sorted by their sequence numbers. Entries have two working modes: permit and
deny.
Run the ip prefix-list prefix-list-name description descripton-text command to add description to the prefix-list.
Run the ip prefix-list sequence-number command to enable the sorting function for the prefix-list.
Creating an Extcommunity-List
In the global configuration mode, run the ip extcommunity-list {standard-list | standard list-name } { permit | deny } [ rt
value] [ soo value ] command to create a standard extcommunity list and add an entry to the list.
Run the ip extcommunity-list {expanded-list | expanded list-name } { permit | deny } [ regular-expression ] command to
create an extcommunity list and add an entry to the list.
You can also run the ip extcommunity-list {expanded-list | expanded list-name| standard-list | standard list-name }
command to create an extcommunity list and enter the configuration mode of ip extcommunity-list to add entries.
You can set multiple entries in the extcommunity-list. Entries have two working modes: permit and deny.
Working Principle
Executing policies
A route map may contain multiple policies. Each policy has a corresponding sequence number. A smaller sequence number
means a higher priority. Policies are executed based on their sequence numbers. Once the matching condition of a policy is
met, the processing action for this policy needs to be performed and the route map exits. If no matching condition of any
policy is met, no processing action will be performed.
permit: When the matching condition of a policy is met, the processing action for this policy will be performed and the
route map will exit.
deny: When the matching condition of a policy is met, the processing action for this policy will not be performed and the
route map will exit.
If the matching condition contains one or more match rules, all rules must be matched.
If the processing action contains 0 set rule, no processing action will be performed and the route map will directly exit.
If the processing action contains one or more set rules, all processing actions will be performed and then the route map
will exit.
If set rules have different priorities, the set rule with the highest priority will take effect.
Configuration Guide Configuring Routing Policies
Related Configuration
In the global configuration mode, you can run the route-map route-map-name [ permit | deny ] [ sequence-number ]
command to create a route map and add a policy to the route map.
You can set multiple policies in a route map. Each policy uses different sequence numbers.
By default, no match rule is set (that is, the matching condition of a policy contains 0 match rule).
In the route map mode, run the match command to set match rules. One match command is mapped to one match rule.
RGOS provides abundant match commands for setting flexible matching conditions.
Command Description
match interface Uses the output interface of a route as the matching condition.
match ip address Uses the destination IPv4 address of a route as the matching condition.
match ip next-hop Uses the next-hop IPv4 address of a route as the matching condition.
match ip route-source Uses the source IPv4 address of a route as the matching condition.
match ipv6 address Uses the destination IPv6 address of a route as the matching condition.
match ipv6 next-hop Uses the next-hop IPv6 address of a route as the matching condition.
match ipv6 route-source Uses the source IPv6 address of a route as the matching condition.
match metric Uses the metric of a route as the matching condition.
match route-type Uses the type of a route as the matching condition.
match tag Uses the tag value of a route as the matching condition.
By default, no set rule is configured (that is, the processing action of a policy contains 0 set rule).
In the route map mode, run the set command to configure set rules. One set command is mapped to one set rule.
RGOS provides abundant set commands for setting flexible processing actions.
Command Description
set ip default nexthop Specifies the default next hop of a route. This command has a lower priority
than a common route and a higher priority than set default interface.
set ip dscp Modifies the dscp field of an IP packet.
set ip nexthop Specifies the next hop of a route, which belongs to a global VRF.
set ip precedence Modifies the precedence field of an IP packet.
set ip tos Modifies the tos field of an IP packet.
set level Sets the destination area type to which a route will be directed.
set metric Modifies the metric value of a route.
set metric-type Sets the metric type of a route.
Configuration Guide Configuring Routing Policies
Command Description
set next-hop Sets the next-hop IP address of a route.
set tag Sets the tag value of a route.
5.4 Configuration
Notes
If a match command uses an ACL to define packet matching conditions, the ACL must be configured.
The Following match Cannot Be Configured with the Following match Commands At the Same Time
Commands
match ip address match ip prefix-list
match ipv6 address match ipv6 prefix-list
match ip next-hop match ip next-hop prefix-list
match ipv6 next-hop match ipv6 next-hop prefix-list
match ip route-source match ip route-source prefix-list
Configuration Guide Configuring Routing Policies
The Following match Cannot Be Configured with the Following match Commands At the Same Time
Commands
match ipv6 route-source match ipv6 route-source prefix-list
The Following set Cannot Be Configured with the Following set Commands At the Same Time
Commands
set ip dscp set ip tos
set ip dscp set ip precedence
Configuration Steps
Mandatory.
Optional.
If multiple match rules are configured, all the match rules must be matched.
Optional.
If multiple set rules are configured, all set rules must be executed (if the set rules have different priorities, the set rule
with the highest priority takes effect).
Verification
Related Commands
Description 99 and 1300 to 1999. For an extended access list, the value ranges are 100 to 199 and 2000 to 2699.
access-list-name: Indicates the access list name.
prefix-list prefix-list-name: Indicates the name of a prefix-list to be matched.
Command Route map configuration mode
Mode
Usage Guide This match rule matches the source IPv4 address of a route by using an ACL or a prefix-list. An ACL and a
prefix-list cannot be configured at the same time.
Command match route-type { static | connect | rip | local | internal | external [ type-1 | type-2 ]
Parameter static: Indicates a static route.
Description connect: Indicates a direct route.
rpi: Indicates a RIP route.
local: Indicates a route locally generated.
Internal: Indicates an internal OSPF route.
external: Indicates an external route (that of BGP or OSPF).
type-1 | type-2: Indicates type-1 or type-2 external route of OSPF.
Mode
Usage Guide This set rule is used to specify the next hop of a route.
Command set ip precedence { number | critical | flash | flash-override | immediate | internet | network | priority |
routine }
Parameter number: Indicates the priority of the IP header with a number, ranging from 0 to 7.
Description 7: critical
6: flash
5: flash-override
4: immediate
3: internet
2: network
1: priority
0: routine
critical | flash | flash-override | immediate | internet | network | priority | routine: priority of an IP
header.
Command Route map configuration mode
Mode
Usage Guide This set rule is used to modify the precedence field of an IP packet header.
Command set ipv6 default next-hop global-ipv6-address [ weight ] [ global-ipv6-address [ weight ] ... ]
Parameter global-ipv6-address: Indicates the next-hop IPv6 address for packet forwarding. The next-hop router must
Description be a neighbor router.
weight: Indicates the weight in the load balancing mode, ranging from 1 to 8. A larger value means larger
packet traffic to be shared by the next hop.
Command Route map configuration mode
Mode
Usage Guide This set rule is used to specify the default next hop IPv6 address of a route.
Configuration Guide Configuring Routing Policies
Command set ipv6 precedence { number | critical | flash | flash-override | immediate | internet | network | priority
| routine }
Parameter number: Indicates the priority of the IP header with a number, ranging from 0 to 7.
Description 7: critical
6: flash
5: flash-override
4: immediate
3: internet
2: network
1: priority
0: routine
critical | flash | flash-override | immediate | internet | network | priority | routine: priority of an IP
header.
Command Route map configuration mode
Mode
Usage Guide This set rule is used to set the priority of an IPv6 packet header.
Usage Guide This set rule is used to modify the metric value of a route.
Configuration Example
Using a Route Map in Route Re-distribution to Filter and Modify Routing Information
Scenario As shown in Figure 5-3, a device is connected to both an OSPF routing domain and RIP routing domain.
Figure 5-3
Re-distribute only RIP routes with 4 hops to OSPF. In the OSPF route domain, if the route type is the
Configuration Guide Configuring Routing Policies
external route type-1, set the tag value of the route to 40.
Re-distribute only OSPF routes with the tag value 10 to RIP. In the RIP route domain, set the initial
metric value of this route to 10.
Configuration Configure the route map redrip: Match a route with 4 hours, set the initial metric value of the route to
Steps 40, set the route type to the external route type-1, and set the tag value of the route to 40.
Configure the route map redospf: match a route with the tag value 10 and set the initial metric value of
the route to 10.
Configure re-distribution of the RIP route to OSPF and apply the route map redrip.
Configure re-distribution of the OSPF route to RIP and apply the route map redospf.
Ruijie(config-route-map)# exit
Ruijie(config-route-map)# exit
Ruijie(config-router)# exit
Ruijie(config-router)# exit
Verification Check the configurations of the route map to verify the policy rules.
Check the OSPF routing information library to verify that the rules matching the policy rules are
re-distributed.
Match clauses:
metric 4
Set clauses:
metric 40
Configuration Guide Configuring Routing Policies
metric-type type-1
tag 40
Match clauses:
tag 10
Set clauses:
metric 10
LS age: 5
LS Type: AS-external-LSA
Checksum: 0x554d
Length: 36
Metric Type: 1
TOS: 0
Metric: 4
Notes
A configured filtering list can take effect only after it is associated with a routing protocol.
Configuration Steps
Configuring a Prefix-List
If there is no special requirement, you should perform this configuration on a route for which filtering based on a
prefix-list needs to be performed.
If there is no special requirement, you should perform this configuration on a route for which community attributes need
to be filtered.
Verification
Check the routing table to verify that routes can be correctly filtered.
Related Commands
standard-list: Indicates a standard extcommunity list, ranging from 1 to 99. One extcommunity list may
contain multiple rules.
expanded list-name: Indicates the name of an extended extcommunity, comprising not more than 32
characters. When using this parameter, you enter the extcommunity list configuration mode.
standard list-name: Indicates the name of a standard extcommunity list, comprising not more than 32
characters. When using this parameter, you enter the extcommunity list configuration mode.
permit: Defines an extcommunity rule for permitting.
deny: Defines an extcommunity rule for denying.
regular-expression: (optional) Defines a matching template that is used to match an extcommunity.
sequence-number: (Optional) Defines the sequence number of a rule, ranging from 1 to 2,147,483,647. If
no sequence number is specified, the sequence number automatically increases by 10 when a rule is added
by default. The initial number is 10.
rt: (Optional) Sets the RT attribute value. This command can be used only for the standard extcommunity
configuration, but not for the extended extcommunity configuration.
soo: (Optional) Sets the SOO attribute value. This command can be used only for the standard
extcommunity configuration, but not for the extended extcommunity configuration.
value: Indicates the value of an extended community (extend_community_value).
Command Global configuration mode and ip extcommunity-list configuration mode
Mode
Usage Guide -
Creating a Prefix-List
Command ipv6 prefix-list prefix-list-name [ seq seq-number ] { deny | permit } ipv6-prefix [ ge minimum-prefix-length ]
[ le maximum-prefix-length ]
Parameter prefix-list-name: Indicates the prefix-list name.
Description seq-number: Assigns a sequence number to an prefix-list entry, ranging from 1 to 2,147,483,647. If this
command does not contain the sequence number, the system will assign a default sequence number to the
prefix-list entry. The default sequence number of the first entry is 5. Subsequently, the default sequence
number of each entry not assigned with a value is the first multiple of 5 greater than the previous sequence
number.
deny: Denies access when certain conditions are matched.
permit: Permits access when certain conditions are matched.
ipv6-prefix: Configures the IP address and mask, ranging from 0 to 128 digits.
minimum-prefix-length: Specifies the minimum range (namely, the start length of a range).
maximum-prefix-length: Specifies the maximum range (namely, the end length of a range).
Command Global configuration mode
Mode
Usage Guide -
Configuration Example
Scenario
Figure 5-4
Configuration Define a standard community list to match the community attribute 100: 20.
Steps Advertise a route with the community attribute on B.
Associate the community list on A to filter routes received on B.
A
A(config)# ip community-list standard test permit 100:20
A(config-route-map)# exit
B
B(config)# route-map comm1
B(config-route-map)# exit
Common Errors
Configuration Guide Configuring Routing Policies
A filtering list is configured but is not correctly applied in a routing protocol, which causes that the filtering list cannot
take effect.
5.5 Monitoring
Displaying
Description Command
Displays the configurations of a route show route-map [ route-map-name ]
map.
Displays the configurations of an show access-lists [ id | name ]
ACL.
Displays the configurations of an show ip prefix-list [ prefix-name ]
IPv4 prefix-list.
Displays the configurations of an show ipv6 prefix-list [ prefix-name ]
IPv6 prefix-list.
Displays the configurations of an show ip as-path-access-list [ num ]
AS-path list.
Displays the configurations of a show ip community-list [ community-list-number | community-list-name ]
community list.
Displays the configurations of an show ip extcommunity-list [ extcommunity-list-num | extcommunity-list-name ]
extcommunity list.
Configuration Guide Configuring OSPFv2
6 Configuring OSPFv2
6.1 Overview
Open Shortest Path First (OSPF) is an Interior Gateway Protocol (IGP) that is used within the Autonomous System (AS) to
allow routers to obtain a route to a remote network.
OSPF Version 2 (OSPFv2) is applicable to IPv4, and OSPF Version 3 (OSPFv3) is applicable to IPv6. The protocol
running mechanism and most configurations are the same.
Wide scope of application: OSPF is applicable to a larger-scale network that supports hundreds of routers.
Fast convergence: Once the network topology changes, notifications can be quickly sent between routers to
update routes.
No self-loop: Only the link status information is synchronized between routers. Each router computes routes
independently, and a self-loop will not occur.
Area division: A large routing domain is divided into multiple small areas to save system resources and network
bandwidth and ensure stability and reliability of routes.
Route classification: Routes are classified into several types to support flexible control.
Multicast transmission: Protocol packets are sent using the multicast address to avoid interfering with irrelevant
entities and save system resources.
In this chapter, the term "router" refers to any network device that supports the routing function. These network devices
can be L3 switches, routers, or firewall.
RFC2328 This memo documents version 2 of the OSPFprotocol. OSPF is a link-state routing protocol.
RFC 2370 This memo defines enhancements to the OSPFprotocol to support a new class of link-stateadvertisements
(LSA) called Opaque LSAs.Opaque LSAs provide a generalized mechanismto allow for the future extensibility
of OSPF.
RFC3137 This memo describes a backward-compatibletechnique that may be used by OSPF (OpenShortest Path First)
implementations to advertiseunavailability to forward transit traffic or to lowerthe preference level for the paths
through such arouter.
Configuration Guide Configuring OSPFv2
RFC3623 This memo documents an enhancement to theOSPF routing protocol, whereby an OSPF routercan stay on the
forwarding path even as its OSPFsoftware is restarted.
RFC3630 This document describes extensions to the OSPFprotocol version 2 to support intra-area TrafficEngineering
(TE), using Opaque Link StateAdvertisements.
RFC3682 The use of a packet's Time to Live (TTL) (IPv4)or Hop Limit (IPv6) to protect a protocol stackfrom
CPU-utilization based attacks has beenproposed in many settings.
RFC3906 This document describes how conventional hop-by-hop link-state routing protocols interact withnew Traffic
Engineering capabilities to createInterior Gateway Protocol (IGP) shortcuts.
RFC4576 This document specifies the necessary procedure,using one of the options bits in the LSA (Link
StateAdvertisements) to indicate that an LSA hasalready been forwarded by a PE and should beignored by
any other PEs that see it.
RFC4577 This document extends that specification byallowing the routing protocol on the PE/CEinterface to be the
OSPF protocol.
RFC4750 This memo defines a portion of the ManagementInformation Base (MIB) for use with networkmanagement
protocols in TCP/IP-based Internets.In particular, it defines objects for managingversion 2 of the Open
Shortest Path First RoutingProtocol. Version 2 of the OSPF protocol is specific to the IPv4 address family.
6.2 Applications
Application Description
Intra-Domain Interworking OSPF runs within the AS, which is divided into several areas.
Inter-Domain Interworking Several ASs are interconnected. OSPF runs within each AS.
OSPF runs within the AS. If the number of routers exceeds 40, it is recommended that the AS be divided into several areas.
Generally, high-end devices featuring reliable performance and fast processing speed are deployed in a backbone area, and
low-end or medium-range devices with relatively lower performance can be deployed in a normal area. All normal areas must
be connected to the backbone area. It is recommended that a normal arealocated on the stub be configured as a stub area.
As shown in Figure 6-1, the network is divided into four areas. Communication between these areas must go through the
backbone area, that is area 0.
Configuration Guide Configuring OSPFv2
Remarks A, B, C, D, E, and H are located in the backbone area, and are backbone routers.
Area 3 is configured as a stub area.
Deployment
6.3 Features
Basic Concepts
Routing Domain
All routers in an AS must be interconnected and use the same routing protocol. Therefore, the AS is also called routing
domain.
An AS on which OSPF runs is also called OSPF routing domain, or OSPF domain for short.
OSPF Process
OSPF supports multiple instances, and each instance corresponds to an OSPF process.
One or more OSPF processes can be started on a router. Each OSPF process runs OSPF independently, and the processes
are mutually isolated.
The process ID takes effect only on the local router, and does not affect exchange of OSPF packets on adjacent interfaces.
Configuration Guide Configuring OSPFv2
RouterID
The router ID uniquely identifies a router in an OSPF domain. Router IDs of any two routers cannot be the same.
If multiple OSPF processes exist on a router, each OSPF process uses one router ID. Router IDs of any two OSPF
processes cannot be the same.
Area
OSPF supports multiple areas. An OSPF domain is divided into multiple areas to ease the computing pressure of a
large-scale network.
An area is a logical group of routers, and each group is identified by an area ID. The border between areas is a router. A
router may belong to one area or multiple areas. One network segment (link) can belong to only one area, or each
OSPF-enabled interface must belong to a specified area.
Area 0 is the backbone area, and other areas are normal areas. Normal areas must be directly connected to the backbone
area.
OSPF Router
The following types of routers are defined in OSPF, and assigned with different responsibilities:
Internal router
All interface of an interval router belong to the same OSPF area. As shown in Figure 6-2, A, C, F, G, I, M, J, K, and
L are internal routers.
Configuration Guide Configuring OSPFv2
Backbone router
A backbone router has at least one interface that belongs to the backbone area. All ABRs and all routers in area 0
are backbone routers. As shown in Figure 6-2, A, B, C, D, E, and H are backbone routers.
Virtual Link
OSPF supports virtual links. A virtual link is a logical link that belongs to the backbone area. It is used to resolve the problems
such as a discontinuous backbone area or a failure to directly connect a normal area to the backbone area on the physical
network. A virtual link supports traversal of only one normal area, and this area is called transit area. Routers on both ends of
a virtual link are ABRs.
As shown in Figure 6-3, a virtual link is set up between A and B to connect two separated area 0s. Area 1 is a transit area,
and A and B are ABRs of area 1.
Figure 6-3 Failure to Directly Connect a Normal Area to the Backbone Areaon the Physical Network
As shown in Figure 6-3, a virtual link is set up between A and B to extend area 0 to B so that area 0 can be directly connected
to area 2 on B. Area 1 is a transit area, A is an ABR of area 1, and B is an ABR of area 0 and area 2.
Configuration Guide Configuring OSPFv2
LSA
OSPF describes the routing information by means of Link State Advertisement (LSA).
Stub areas, NSSA areas, totally stub areas, and totally NSSA areas are special forms of normal areas and help reduce
the load of routers and enhance reliability of OSPF routes.
OSPF Packet
The following table lists the protocol packets used by OSPF. These OSPF packets are encapsulated in IP packets and
transmitted in multicast or unicast mode.
Link State Acknowledgment (LSAck) LSAck packets are used to acknowledge the received LSAs.
Overview
Feature Description
Link-State Routing Protocols Run OSPF on the router to obtain routes to different destinations on the network.
OSPF Route Management Plan or optimize OSPF routes through manual configuration to implement management of
OSPF routes.
Enhanced Security and Use functions such as authentication to enhance security, stability, and reliability of OSPF.
Reliability
Network Management Use functions such as the management information base (MIB) and Syslog to facilitate OSPF
management.
Working Principle
Routers send Hello packets through all OSPF-enabled interfaces (or virtual links). If Hello packets can be exchanged
between two routers, and parameters carried in the Hello packets can be successfully negotiated, the two routers become
neighbors. Routers that are mutually neighbors find their own router IDs from Hello packets sent from neighbors, and
bidirectional communication is set up.
A Hello packet includes, but is not limited to, the following information:
Neighbor dead interval of the originating router interface (or virtual link)
Configuration Guide Configuring OSPFv2
After bidirectional communication is set up between neighbor routers, the DD, LSR, LSU, and LSAck packets are used to
exchange LSAs and set up the adjacency. The brief process is as follows:
The LSA is exchanged between neighbors. When a router receives the LSA from its neighbor, it copies the LSA
and saves the copy in the local LSDB, and then advertises the LSA to other neighbors.
When the router and its neighbors obtain the same LSDB, full adjacency is achieved.
OSPF will be very quiet without changes in link costs or network addition or deletion. If any change takes place, the
changed link states are advertised to quickly synchronize the LSDB.
After the complete LSDB is obtained from the router, the Dijkstra algorithm is run to generate an SPT from the local router to
each destination network. The SPT records the destination networks, next-hop addresses, and costs. OSPF generates a
routing table based on the SPT.
If changes in link costs or network addition or deletion take place, the LSDB will be updated. The router again runs the
Dijkstra algorithm, generates a new SPT, and updates the routing table.
The Dijkstra algorithm is used to find a shortest path from a vertex to other vertices in a weighted directed graph.
A router does not necessarily need to exchange LSAs with every neighbor and set upan adjacency with every neighbor. To
improve efficiency, OSPF classifies networks that use various link layer protocols into five types so that LSAs are exchanged
in different ways to set upan adjacency:
Broadcast
Neighbors are discovered, and the DR and BDR are elected.
The DR (or BDR) exchanges LSAs with all other routers to set up an adjacency. Except the DR and BDR, all other
routers do not exchange LSAs with each other, and the adjacency is not set up.
Ethernet and fiber distributed data interface (FDDI) belong to the broadcast network type by default.
Point-to-point (P2P)
Neighbors are automatically discovered, and the DR or BDR is not elected.
Configuration Guide Configuring OSPFv2
LSAs are exchanged between routers at both ends of the link, and the adjacency is set up.
PPP,HDLC, and LAPB belongs to the P2P network type by default.
Point-to-multipoint (P2MP)
Neighbors are automatically discovered, and the DR or BDR is not elected.
LSAs are exchanged between any two routers, and the adjacency is set up.
Networks without any link layer protocol belong to the P2MP network type by default. P2MP broadcast
Neighbors are manually configured, and the DR or BDR is not elected.
LSAs are exchanged between any two routers, and the adjacency is set up.
Networks without any link layer protocol belong to the P2MP network type by default.
Figure 6-4
Display the OSPF routes (marked in red) in the routing table of Router A.
A#show ip route
The XS-S1960-H series switch does not support ISIS or BGP. The configuration example is only for reference.
A mark is displayed in front of each OSPF route to indicate the type of the route. There are six types of OSPF routes:
O: Intra-area route
This type of route describes how to arrive ata destination network in the local area. The cost of this type of route is
equal to the cost of the route from the local router to the destination network.
Reliability of E2 and N2 routes is poor. OSPF believes that the cost of the route from the ASBR to a destination outside
an AS is far greater than the cost of the route to the ASBR within the AS. Therefore, when the route cost is computed,
only the cost of the route from the ASBR to a destination outside an AS is considered.
Configuration Guide Configuring OSPFv2
Related Configuration
Enabling OSPF
Run the router ospf 1 command to create an OSPF process on the router.
Run the network area command to enable OSPF on the interface and specify the area ID.
Run the area virtual-link command to create a virtual link on the router. The virtual link can be treated as a logical interface.
Router ID
By default, the OSPF process elects the largest IP address among the IP addresses of all the loopback interfaces as the
router ID. If the loopback interfaces configured with IP addresses are not available, the OSPF process elects the largest IP
address among the IP addresses of all the loopback interfaces as the router ID.
Alternatively, you can run the router-id command to manually specify the router ID.
Run the ip ospf hello-interval command to modify the Hello interval on the interface. The default value is 10s (or 30s for
NBMA networks).
Run the ip ospf dead-interval command to modify the neighbor dead interval on the interface. The default value is four
times the Hello interval.
Use the poll-interval parameter in the neighbor command to modify the neighbor polling interval on the NBMA interface.
The default value is 120s.
Run the ip ospf transmit-delay command to modify the LSU packet transmission delay on the interface. The default value is
1s.
Run the ip ospf retransmit-interval command to modify the LSU packet retransmission interval on the interface. The default
value is 5s.
Use the hello-interval parameter in the area virtual-linkcommand to modify the Hello interval on the virtual link. The default
value is 10s.
Use the dead-interval parameter in the area virtual-linkcommand to modify the neighbor dead interval on the virtual link.
The default value is four times the Hello interval.
Use the transmit-delay parameter in the area virtual-linkcommand to modify the LSU packet transmission delay on the
virtual link. The default value is 1s.
Use the retransmit-interval parameter in the area virtual-linkcommand to modify the LSU packet retransmission interval on
the virtual link. The default value is 5s.
Run the timers throttle lsa all command to modify parameters of the exponential backoff algorithm that generates LSAs.
The default values of these parameters are 0 ms, 5000 ms, and 5000 ms.
Run the timerspacinglsa-group command to modify the LSA group update interval. The default value is 30s.
Configuration Guide Configuring OSPFv2
Run the timers pacing lsa-transmit command to modify the LS-UPD packet sending interval and the number of sent
LS-UPD packets. The default values are 40 ms and 1.
Run the timers lsa arrival command to modify the delay after which the same LSA is received. The default value is 1000 ms.
Run the timers throttle spf command to modify the SPT computation delay, minimum interval between two SPT
computations, and maximum interval between two SPT computations. The default values are 1000 ms, 5000 ms, and 10000
ms.
By default, Ethernet and FDDI belong to the broadcast type, X.25, frame relay, and ATM belong to the NBMA type, and PPP,
HDLC, and LAPB belong to the P2P type.
Run the ip ospf network command to manually specify the network type of an interface.
Run the neighbor command to manually specify a neighbor. For the NBMA and P2MP non-broadcast types, you must
manually specify neighbors.
Run the ip ospf priority command to adjust the priorities of interfaces, which are used for DR/BDR election. The DR/BDR
election is required for the broadcast and NBMA types. The router with the highest priority wins in the election, and the router
with the priority of 0 does not participate in the election. The default value is 1.
Working Principle
The (totally) stub and (totally)NSSA areas help reduce the protocol interaction load and the size of the routing table.
If an appropriate area is configured as a (totally) stub or NSSA area, advertisement of a large number of Type 5
and Type 3 LSAs can be avoided within the area.
Area Type1 and Type 3 LSA Type 4 LSA Type 5 LSA Type 7 LSA
Type2 LSAs
Non (totally) stub area and Allowed Allowed Allowed Allowed Not allowed
NSSA area
Stub area Allowed Allowed (containing one Not allowed Not allowed Not allowed
default route)
Totally stub area Allowed Only one default route is Not allowed Not allowed Not allowed
allowed.
NSSA area Allowed Allowed (containing one Allowed Not allowed Allowed
default route)
Totally NSSA area Allowed Only one default route is Allowed Not allowed Allowed
allowed.
The ABR uses Type 3LSAs to advertise a default route to the (totally) stub or NSSA area.
Configuration Guide Configuring OSPFv2
The ABR converts Type 7 LSAs in the totally NSSA area to Type 5LSAs, and advertise Type5LSAs to the backbone
area.
If an area is appropriately configured as a (totally) stub area or an NSSA area, a large number of E1, E2, and IA
routes will not be added to the routing table of a router in the area.
Area Routes Available in the Routing Table of a Router Inside the Area
Non (totally) stub area and O: a route to a destination network in the local area
NSSA area IA: a route to a destination network in another area
E1 or E2: a route or default route to a destination network segment outside the AS (via any
ASBR in the AS)
Stub area O: a route to a destination network in the local area
IA: a route or a default route to a destination network in another area
Totally stub area O: a route to a destination network in the local area
IA: a default route
NSSA area O: a route to a destination network in the local area
IA: a route or a default route to a destination network in another area
N1 or N2: a route or default route to a destination network segment outside the AS (via any
ASBR in the local area)
Totally NSSA area O: a route to a destination network in the local area
IA: a default route
N1 or N2: a route or default route to a destination network segment outside the AS (via any
ASBR in the local area)
Route Redistribution
Route redistribution refers to the process of introducing routes of other routing protocols, routes of other OSPF processes,
static routes, and direct routes that exist on the device to an OSPF process so that these routes can be advertised to
neighbors using Type 5 and Type 7 LSAs. A default route cannot be introduced during route redistribution.
Route redistribution is often used for interworking between ASs. You can configure route redistribution on an ASBR to
advertise routes outside an AS to the interior of the AS, or routes inside an AS to the exterior of the AS.
By configuring a command on an ASBR, you can introduce a default route to an OSPF process so that the route can be
advertised to neighbors using Type 5 and Type 7 LSAs.
Default route introduction is often used for interworking between ASs. One default route is used to replace all the routes
outside an AS.
Route Summarization
Route summarization is a process of summarizing routing information with the same prefix into one route, and advertising the
summarized route (replacing a large number of individual routes) to neighbors. Route summarization helps reduce the
protocol interaction load and the size of the routing table.
Configuration Guide Configuring OSPFv2
By default, the ABR advertises inter-area routing information by using Type3 LSAs within a network segment, and advertises
redistributed routing information by using Type 5 and Type 7 LSAs.If continuous network segments exist, it is recommended
that you configure route summarization.
When configuring route summarization, the summarization range may exceed the actual network scope of routes. If data is
sent to a network beyond the summarization range, a routing loop may be formed and the router processing load may
increase. To prevent these problems, the ABR or ASBR automatically adds a discard route to the routing table. This route will
not be advertised.
Route Filtering
OSPF supports route filtering to ensure security and facilitate control when the routing information is being learned,
exchanged, or used.
Using configuration commands, you can configure route filtering for the following items:
Interface: The interface is prevented from sending routing information (any LSAs) or exchanging routing
information (any LSAs) with neighbors.
Routing information advertised between areas: Only the routing information that meets the filtering conditions can
be advertised to another area (Type 3 LSAs).
Routing information outside an AS: Only the routing information that meets the filtering conditions can be
redistributed to the OSPF process(Type 5 and Type 7 LSAs).
LSAs received by a router: In the OSPF routing table, only the routes that are computed based on the LSAs
meeting the filtering conditions can be advertised.
Route Cost
If redundancy links or devices exist on the network, multiple paths may exist from the local device to the destination network.
OSPF selects the path with the minimum total cost to form an OSPF route. The total cost of a path is equal to the sum of the
costs of individual links along the path. The total cost of a path can be minimized by modifying the costs of individual links
along the path. In this way, OSPF selects this path to form a route.
Cost from an interface to a directly connected network segment and cost from the interface to a neighbor
Cost from an ABR to the inter-area summarization network segment and cost from the ABR to the default network
segment
Cost from an ASBR to an external network segment and cost from the ASBR to the default network segment
Both the cost and the metric indicate the cost and are not differentiated from each other.
The administrative distance (AD) evaluates reliability of a route, and the value is an integer ranging from 0 to 255. A smaller
AD value indicates that the route is more trustworthy. If multiples exist to the same destination, the route preferentially
selects a route with a smaller AD value. The route with a greater AD value becomes a floating route, that is, a standby route
of the optimum route.
Configuration Guide Configuring OSPFv2
By default, the route coming from one source corresponds to an AD value. The AD value is a local concept. Modifying the AD
value affects route selection only on the current router.
Related Configuration
Run the area stub command to configure a specified area as a stub area.
Run the area nssa command to configure a specified area as an NSSA area.
A transit area (with virtual links going through) cannot be configured as a stub or an NSSA area.
By default, routes are not redistributed and the default route is not introduced.
After configuring route redistribution and default route introduction, the route automatically becomes an ASBR.
Route Summarization
By default, routes are not summarized. If route summarization is configured, a discard route will be automatically added.
Run the arearange command to summarize routes distributed between areas (Type 3 LSA) on the ABR.
Run the summary-address command to summarize redistributed routes (Type 5 and Type 7 LSAs) on the ASBR.
Run the discard-route command to add a discard route to the routing table.
Route Filtering
Run the passive-interface command to configure a passive interface. Routing information (any LSAs) cannot be exchanged
on a passive interface.
Run the ip ospfdatabase-filter all out command to prohibit an interface from sending routing information (any LSAs).
Run the area filter-list command to filter routing information advertised between areas on the ABR. Only the routing
information that meets the filtering conditions can be advertised to another area (Type 3 LSAs).
Configuration Guide Configuring OSPFv2
Use the route-map parameter in the redistribute command, or use the distribute-list out command to filter the external
routing information of the AS on the ASBR. Only the routing information that meets the filtering conditions can be
redistributed to the OSPF process (Type 5 and Type 7 LSAs).
Run the distribute-list in command to filter LSAs received by the router. In the OSPF routing table, only the routes that are
computed based on the LSAs meeting the filtering conditions can be advertised.
Route Cost
Cost from the interface to the directly-connected network segment (cost on the interface)
The default value is the auto cost. Auto cost = Reference bandwidth/Interface bandwidth
Run the auto-cost reference-bandwidth command to set the reference bandwidth of auto cost. The default value
is 100 Mbps.
Run the ip ospf cost command to manually set the cost of the interface. The configuration priority of this item is
higher than that of the auto cost.
Cost from the interface to a specified neighbor (that is, cost from the local device to a specified neighbor)
The default value is the auto cost.
Use the cost parameter in the neighbor command to modify the cost from the interface to a specified neighbor.
The configuration priority of this item is higher than that of the cost of the interface.
This configuration item is applicable only to P2MP-type interfaces.
Cost from the ABR to the inter-area summarization network segment (that is, the cost of the summarized
inter-area route)
If OSPF routing is compatible with RFC1583, the default value is the minimum cost among all costs of the
summarized links; otherwise, the default value is the maximum cost among all costs of the summarized links.
Run the compatible rfc1583 command to make OSPF routing compatible with RFC1583. By default, OSPF
routing is compatible with RFC1583.
Use the cost parameter in the area range command to modify the cost of inter-area route summarization.
Cost from the ABR to the default network segment (that is, the cost of the default route that is automatically
advertised by the ABR to the stub or NSSA areas)
The default value is 1.
Run the area default-cost command to modify the cost of the default route that the ABR automatically advertise
to the stub or NSSA areas.
Cost from the ASBR to an external network segment (that is, the metric of an external route)
By default, the metric of other types of redistributed routes is 20, and the route type is Type 2 External.
Run the default-metric command to modify the default metric of the external route.
Use the metric,metric-type and route-map parameters in the redistribute command to modify the metric and
route type of the external route.
Cost from the ASBR to the default network segment (that is, the metric of the default route that is manually
introduced)
By default, the metric is 1, and the route type is Type 2 External.
Use the metric,metric-type and route-map parameters in the default-information originate command to
modify the metric and route type of the default route that is manually introduced.
Configuration Guide Configuring OSPFv2
Use the metric and metric-type parametersofdefault-information originatein the area nssa command to modify
the metric and type of the default route that is manually introduced to the NSSA area.
Run the max-metric router-lsa command to set metrics of all routes advertised on the router to the maximum
value. In this way, the total cost of any path that passes through this router will become very large, and the path
can hardly become the shortest path.
Working Principle
Authentication
Authentication prevents routers that illegally access the network and hosts that forge OSPF packet from participating in the
OSPF process. OSPF packets received on the OSPF interface (or at both ends of the virtual link) are authenticated. If
authentication fails, the packets are discarded and the adjacency cannot be set up.
Enabling authentication can avoid learning unauthenticated or invalid routes, thus preventing advertising valid routes to
unauthenticated devices. In the broadcast-type network, authentication also prevents unauthenticated devices from
becoming designated devices, ensuring stability of the routing system and protecting the routing system against intrusions.
MTU Verification
On receiving a DD packet, OSPF checks whether the MTU of the neighbor interface is the same as the MTU of the local
interface. If the MTU of the interface specified in the received DD packet is greater than the MTU of the interface that
receives the packet, the adjacency cannot be set up. Disabling MTU verification can avoid this problem.
Generally, the source address of a packet received by OSPF is in the same network segment as the receiving interface. The
addresses at both ends of a P2P link are configured separately and are not necessarily in the same network segment. In this
scenario, as the peer address information will be notified during the P2P link negotiation process, OSPF checks whether the
source address of the packet is the address advertised by the peer during negotiation. If not, OSPF determines that the
packet is invalid and discards this packet. In particular, OSPF does not verify the address of an unnumbered interface.
In some scenarios, the source address of a packet received by OSPF maynot be in the same network segment as the
receiving interface, and therefore OSPF address verification fails. For example, the negotiated peer address cannot be
obtained on a P2P link. In this scenario, source address verification must be disabled to ensure that the OSPF adjacency can
be properly set up.
Two-Way Maintenance
Configuration Guide Configuring OSPFv2
OSPF routers periodically send Hello packets to each other to maintain the adjacency. On a large network, a lot of packets
may be sent or received, occupying too much CPU and memory. As a result, some packets are delayed or discarded. If the
processing time of Hello packets exceeds the dead interval, the adjacency will be destroyed.
If the two-way maintenance function is enabled, in addition to the Hello packets, the DD, LSU, LSR, and LSAck packets can
also be used to maintain the bidirectional communication between neighbors, which makes the adjacency more stable.
When a router simultaneously exchanges data with multiple neighbors, its performance may be affected. If the maximum
number of neighbors that concurrently initiate or accept interaction with the OSPF process, the router can interact with
neighbors by batches, which ensures data forwarding and other key services.
Overflow
OSPF requires that routers in the same area store the same LSDB. The number of routers keeps increasing on the network.
Some routers, however, cannot store so much routing information due to the limited system resources. The large amount of
routing information may exhaust the system resources of routers, causing failures of the routers.
The overflow function limit the number of external routes in the LSDB to control the size of the LSDB.
When the number of external routes on a router exceeds the upper limit, the router enters the overflow state. The router
deletes the external routes generated by itself from the LSDB, and does not generate new external routes. In addition, the
router discards the newly received external routes. After the overflow state timer (5s) expires, if the number of external routes
is lower than the upper limit, the normal state is restored.
GR
The control and forwarding separated technology is widely used among routers. On a relatively stable network topology,
when a GR-enabled router is restarted on the control plane, data forwarding can continue on the forwarding plane. In
addition, actions (such as adjacency re-forming and route computation) performed on the control plane do not affect
functions of the forwarding plane. In this way, service interruption caused by route flapping can be avoided, thus enhancing
reliability of the entire network.
Currently, the GR function is used only during active/standby switchover and system upgrade.
Configuration Guide Configuring OSPFv2
The GR process requires collaboration between the restarter and the helper. The restarter is the router where GR
occurs. The helper is a neighbor of the restarter.
When entering or exiting the GR process, the restarter sends a Grace-LSA to the neighbor, notifying the neighbor
to enter or exit the helper state.
When the adjacency between the restarter and the helper reaches the Full state, the router can exit the GR
process successfully.
After a link fault occurs, OSPF senses the death of the neighbor only after a period of time (about 40s). Then, OSPF
advertises the information and re-computes the SPT. During this period, traffic is interrupted.
After the fast Hello function is enabled (that is, the neighbor dead interval is set to 1s), OSPF can sense the death
of a neighbor within 1s once a link is faulty. This greatly accelerates route convergence and prevents traffic
interruption.
Related Configuration
Run the areaauthentication command to enable the authentication function in the entire area so that the function
takes effect on all interfaces in this area. If authentication is enabled in area 0, the function takes effect on the
virtual link.
Run the ip ospf authentication command to enable authentication on an interface. This configuration takes
precedence over the area-based configuration.
Run the ip ospf authentication-key command to set the text authentication key on an interface.
Run the ip ospfmessage-digest-key command to set the message digest 5 (MD5) authentication key on an
interface.
Use the authentication parameter in the area virtual-link command to enable authentication at both ends of a
virtual link. This configuration takes precedence over the area-based configuration.
Use the authentication-key parameter in the area virtual-link command to set the text authentication key at both
ends of a virtual link.
Use the message-digest-key parameter in the area virtual-link command to set the MD5 authentication key at
both ends of a virtual link.
MTU Verification
Run the ip ospf source-check-ignore command to disable source address verification on an interface.
Two-Way Maintenance
Run the max-concurrent-dd command to modify the maximum number of neighbors that are concurrently interacting with
the current OSPF process. The default value is 5.
Run the ip router ospf max-concurrent-dd command to modify the maximum number of neighbors that are concurrently
interacting with all OSPF processes on the router. The default value is 10.
Overflow
Run the overflow memory-lack command to allow the router to enter the overflow state when the memory is insufficient. By
default, the router is allowed to enter the overflow state when the memory is insufficient.
Run the overflow database command to allow the router to enter the overflow state when the number of LSAs is too large.
By default, the router is not allowed to enter the overflow state when the number of LSAs is too large.
Configuration Guide Configuring OSPFv2
Run the overflow database external command to allow the router to enter the overflow state when the number of
externalLSAs is too large. By default, the router is not allowed to enter the overflow state when the number of external-LSAs
is too large.
GR
By default, the restarter function is disable, and the helper function is enabled.
Fast Hello
Run the ip ospf dead-intervalminimal hello-multiplier command to enable the Fast Hello function on an interface, that is,
the neighbor dead interval is 1s.
Working Principle
MIB
MIB is the device status information set maintained by a device. You can use the management program to view and set the
MIB node.
Multiple OSPF processes can be simultaneously started on a router, but the OSPF MIB can be bound with only one OSPF
process.
Trap
A Trap message is a notification generated when the system detects a fault. This message contains the related fault
information.
If the Trap function is enabled, the router can proactively send the Trap messages to the network management device.
Syslog
The Syslog records the operations (such as command configuration) performed by users on routers and specific events
(such as network connection failures).
If the Syslog is allowed to record the adjacency changes, the network administrator can view the logs to learn the entire
process that the OSPF adjacency is set up and maintained.
Related Configuration
MIB
By default, the MIB is bound with the OSPF process with the smallest process ID.
Run the enable mib-binding command to bind the MIB with the current OSPF process.
Configuration Guide Configuring OSPFv2
Trap
By default, all traps are disabled, and the device is not allowed to send OSPF traps.
Run the enable traps command to enable a specified trap for an OSPF process.
Run the snmp-server enable traps ospf command to allow the device to send OSPF traps.
SYSLOG
Run the log-adj-changes command to allow the Syslog to record the adjacency changes.
6.4 Configuration
(Optional) The configurations are mandatory if the physical network is the X.25, frame
Configuring Route (Optional) The configurations are recommended if the OSPF routing domain is
(Optional) It is used to reduce interaction of routing information and the size of routing
Configuring Stub Area
table, and enhance stability of routes.
and NSSA Area
areastub Configures a stub area.
areanssa Configures an NSSA area.
Configuration Guide Configuring OSPFv2
(Optional) It is used to reduce interaction of routing information and the size of routing
Configuring Route ip ospfdatabase-filter all out Prohibits an interface from sending LSAs.
(Optional) It is used to manually control the shortest route computed by OSPF and
Enabling Authentication (Optional) It is used to prevent routers that illegally access the network and hosts that
(Optional) It is used to prevent the problem that OSPF processes stop running due to
(Optional) It is used to prevent the problem that the adjacency cannot be set up due to
Disabling Source
the failure to obtain the peer address.
Address Verification
Disables source address verification on an
ip ospf source-check-ignore
interface.
Disabling MTU (Optional) It is used to prevent the problem that the adjacency cannot be set up due to
Enabling Two-Way (Optional) It is used to prevent termination of the adjacencydue to the delay or loss of
(Optional) The configurations enable users to use the SNMP network management
(Optional) You are advised not to modify protocol control parameters unless necessary.
Set up an OSPF routing domain on the network to provide IPv4 unicast routing service for users on the network.
Notes
Ensure that the IP unitcast routing function is enabled, that is, ip routing is not disabled; otherwise, OSPF cannot
be enabled.
After ip ospf disable all is configured, the interface neither sends or receives any OSPF packet, nor participates
in OSPF computation even if the interface belongs to the network.
Configuration Steps
Mandatory.
Configuring a Router ID
(Optional) It is strongly recommended that you manually configure the router ID.
If the router ID is not configured, OSPF selects an interface IP address. If the IP address is not configured for any
interface, or the configured IP addresses have been used by other OSPF instances, you must manually configure
the router ID.
Mandatory.
Verification
Run the show ip route ospf command to verify that the entries of the OSPF routing table are correctly loaded.
Run the ping command to verify that the IPv4 unicast service is correctly configured.
Related Commands
Configuration Guide Configuring OSPFv2
Configuring a Router ID
Command router-idrouter-id
Parameter router-id: Indicates the router ID to be configured. It is expressed in the IP address.
Description
Command OSPF routing process configuration mode
Mode
Usage Guide Different OSPF processes are independent of each other, and can be treated as different routing protocols
that run independently.
Each OSPF process uses a unique router ID.
ranges from 0 to 2,147,483,647. The setting of this parameter must be consistent with that on a neighbor.
minimal: Indicates that the Fast Hello function is enabled to set the dead interval to 1s.
hello-multiplier: Indicates the result of the dead interval multiple by the Hello interval in the Fast Hello
function.
multiplier: Indicates the number of Hello packets sent per second in the Fast Hello function. The value
ranges from 3 to 20.
hello-interval seconds: Indicates the interval at which OSPF sends the Hello packet to the virtual link. The
unit is second. The value ranges from 1 to 65,535. The setting of this parameter must be consistent with that
on a neighbor.
retransmit-interval seconds: Indicates the OSPF LSA retransmission time. The unit is second. The value
ranges from 1 to 65,535.
transmit-delay seconds: Indicates the delay after which OSPF sends the LSA. The unit is second. The
value ranges from 1 to 65,535.
authentication-key [ 0 | 7 ]key: Defines the key for OSPF plain text authentication.
message-digest-key key-idmd5 [ 0 | 7 ]key: Defines the key ID and key for OSPF MD5 authentication.
authentication: Sets the authentication type to plain text authentication.
message-digest: Sets the authentication type to MD5 authentication.
null: Indicates that authentication is disabled.
Command OSPF routing process configuration mode
Mode
Usage Guide
In the OSPF routing domain, all areas must be connected to the backbone area. If the backbone area is
disconnected, a virtual link must be configured to connect to the backbone area; otherwise, network
communication problems will occur. A virtual link must be created between two ABRs, and the area to which
both ABRs belong is the transit area. A stub area or an NSSA area cannot be used as a transit area. A
virtual link can also be used to connect other non-backbone areas.
router-id is the ID of an OSPF neighbor router. If you are sure about the value of router-id, run the show ip
ospf neighbor command to confirm the value. You can configure the loopback address as the router ID.
The area virtual-link command defines only the authentication key of the virtual link. To enable OSPF
packet authentication in the areas connected to the virtual link, you must run the area authentication
command.
After the OSPF Fast Hello function is enabled, OSPF finds neighbors and detects neighbor failures faster.
You can enable the OSPF Fast Hello function by specifying the minimal and hello-multiplier keywords and
the multiplier parameter. The minimal keyword indicates that the death interval is set to 1s, and
hello-multiplier indicates the number of Hello packets sent per second. In this way, the interval at which the
Hello packet is sent decreases to less than 1s.
If the Fast Hello function is configured for a virtual link, the Hello interval field of the Hello packet advertised
on the virtual link is set to 0, and the Hello interval field of the Hello packet received on this virtual link is
ignored.
Configuration Guide Configuring OSPFv2
No matter whether the Fast Hello function is enabled, the death interval must be consistent and the
hello-multiplier values can be inconsistent on routers at both ends of the virtual link. Ensure that at least
one Hello packet can be received within the death interval.
Run the show ip ospf virtual-links command to monitor the death interval and Fast Hello interval
configured for the virtual link.
The dead-interval minimal hello-multiplier and hello-interval parameters introduced for the Fast Hello
function cannot be configured simultaneously.
Configuration Example
Scenario
Figure 6-6
A(config-if-GigabitEthernet 0/1)#exit
A(config-if-GigabitEthernet 0/2)#exit
A(config)#router ospf 1
Configuration Guide Configuring OSPFv2
A(config-router)#router-id192.168.1.1
B
B#configure terminal
B(config-if-GigabitEthernet 0/1)#exit
B(config-if-GigabitEthernet 0/2)#exit
B(config)#router ospf 1
B(config-router)#router-id192.168.1.2
C
C#configure terminal
C(config-if-GigabitEthernet 0/3)#exit
C(config)#router ospf 1
C(config-router)#router-id192.168.2.2
D
D#configure terminal
D(config-if-GigabitEthernet 0/3)#exit
D(config)#router ospf 1
D(config-router)#router-id192.168.3.2
Verification Verify that the OSPF neighbors are correct on all routers.
Verify that the routing table is correctly loaded on all routers.
On Router D, verify that the IP address 192.168.2.2 can be pinged successfully.
Configuration Guide Configuring OSPFv2
A
A# show ip ospf neighbor
B
B# show ip ospf neighbor
C
C# show ip ospf neighbor
D
D# show ip ospf neighbor
D# ping 192.168.2.2
!!!!!
Common Errors
The network segment configured by the network command does not include the interface IP addresses.
The same interface IP address is configured on multiple routers, resulting in a running error of the OSPF network.
Run OSPF to provide the IPv4 unicast routing serviceif the physical network is X.25, frame relay, or ATM.
Notes
The broadcast network sends OSPF packets in multicast mode. Neighbors are automatically discovered, and the
DR/BDR election is required.
The P2P network sends OSPF packets in multicast mode. Neighbors are automatically discovered.
The NBMA network sends OSPF packets in unicast mode. Neighbors must be manually specified, and the
DR/BDR election is required.
The P2MP network (without the non-broadcast parameter) sends OSPF packets in multicast mode. Neighbors
are automatically discovered.
The P2MP network (with the non-broadcast parameter) sends OSPF packets in unicast mode. Neighbors must
be manually specified.
Configuration Steps
Optional.
Configuring Neighbors
(Optional) If the interface network type is set to NBMA or P2MP (with the non-broadcast parameter), neighbors
must be configured.
Neighbors are configured on routers at both ends of the NBMA or P2MP (with the non-broadcast parameter)
network.
(Optional) You must configure the interface priority if a router must be specified as a DR, or a router cannot be
specified as a DR.
Configure the interface priority on a router that must be specified as a DR, or cannot be specified as a DR.
Verification
Run the show ip ospf interface command to verify that the network type of each interface is correct.
Related Commands
Configuring Neighbors
Command neighbor ip-address [ poll-intervalseconds ] [ prioritypriority ] [ cost cost ]
Parameter ip-address: Indicates the IP address of the neighbor interface.
Description poll-intervalseconds: Indicates the neighbor polling interval. The unit is second. The value ranges from 0 to
2,147,483,647. This parameter is applicable only to the NBMA interface.
prioritypriority: Indicates the neighbor priority. The value ranges from 0 to 255. This parameter is applicable
only to the NBMA interface.
costcost: Indicates the cost required to reach each neighbor. There is no default value. The value ranges
from 0 to 65,535. This parameter is applicable only to the P2MP interface.
Command OSPF routing process configuration mode
Mode
Configuration Guide Configuring OSPFv2
Usage Guide Neighbors must be specified for the NBMA or P2MP (non-broadcast) interfaces. The neighbor IP address
must be the primary IP address of this neighbor interface.
If a neighbor router becomes inactive on the NBMA network, OSPF still sends Hello packets to this neighbor
even if no Hello packet is received within the router death time. The interval at which the Hello packet is sent
is called polling interval. When running for the first time, OSPF sends Hello packets only to neighbors whose
priorities are not 0. In this way, neighbors with priorities set to 0 do not participate in the DR/BDR election.
After a DR/BDR is elected, the DR/BDR sends the Hello packets to all neighbors to set up the adjacency.
The P2MP (non-broadcast) network cannot dynamically discover neighbors because it does not have the
broadcast capability. Therefore, you must use this command to manually configure neighbors for the P2MP
(non-broadcast) network. In addition, you can use the cost parameter to specify the cost to reach each
neighbor on the P2MP network.
This command is applicable only to the OSPF broadcast and NBMA interfaces.
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Scenario
Figure 6-7
B
B#configure terminal
C
C#configure terminal
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Common Errors
The network types configured on interfaces at two ends are inconsistent, causing abnormal route learning.
The network type is set to NBMA or P2MP (with the non-broadcast parameter), but neighbors are not specified.
In the OSPF domain, introduce a unicast route to other AS domains so that the unicast routing service to other AS
domainscan be provided for users in the OSPF domain.
In the OSPF domain, inject a default route to other AS domains so that the unicast routing service to other AS
domains can be provided for users in the OSPF domain.
Notes
Configuration Steps
(Optional) This configuration is required if external routes of the OSPF domain should be introduced to an ASBR.
(Optional) This configuration is required if the default route should be introduced to an ASBR so that other routers
in the OSPF domain access other AS domains through this ASBR by default.
Verification
On a router inside the OSPF domain, run the show ip route command to verify that the unicast routes to other AS
domains are loaded.
On a router inside the OSPF domain, run the show ip route command to verify that the default route to the ASBR
is loaded.
Run the ping command to verify that the IPv4 unicast service to other AS domains is correct.
Related Commands
The configuration rules for the no form of the redistribute command are as follows:
1. If some parameters are specified in the no form of the command, default values of these parameters will
be restored.
2. If no parameter is specified in the no form of the command, the entire command will be deleted.
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Scenario
Figure 6-8
D(config)#router ospf 1
Verification On Router D, run the show ip ospf database external brief command to verify that an LSA
corresponding to an external route is generated.
On Router C, run the show ip route ospf command to verify that the external static route has been
introduced.
D D# show ip ospf database external brief
OSPF Router with ID (192.168.22.30) (Process ID 1)
AS External Link States
Scenario
Figure 6-9
D(config)#router ospf 1
Verification On Router D, run the show ip ospf database external brief command to verify that an LSA
corresponding to the default route is generated.
On Router C, run the show ip route ospf command to verify that the OSPF default route exists.
D
D#show ip ospf database external brief
C
C# show ip route ospf
Common Errors
The subnet route is not introduced because the subnets parameter in the redistribute command is not
configured.
Configuration Guide Configuring OSPFv2
A routing loop is formed because the default-information originate always command is configured on multiple
routers.
Routes cannot be introduced because route redistribution is configured on a router in the stub area.
Configure an area located on the stub as a stub area to reduce interaction of routing information and the size of
routing table, and enhance stability of routes.
Notes
A router in the stub area cannot introduce external routes, but a router in the NSSA area can introduce external
routes.
Configuration Steps
(Optional) This configuration is required if you wish to reduce the size of the routing table on routers in the area.
The area must be configured as a stub area on all routers in this area.
(Optional) This configuration is required if you wish to reduce the size of the routing table on routers in the area
and introduce OSPF external routes to the area.
The area must be configured as an NSSA area on all routers in this area.
Verification
On a router in the stub area, run the show ip route command to verify that the router is not loaded with any
external routes.
On a router in the NSSA area, run the show ip ospf database command to verify that the introduced external
route generates Type 7 LSAs.
On a router in the backbone area, run the show ip route command to verify that the router is loaded with external
routes introduced from the NSSA area.
Related Commands
has different functions on the ABR and the ASBR in the NSSA area. On the ABR, a Type 7 LSA default
route is generated regardless of whether the default route exists in the routing table. On the ASBR (not an
ABR), a Type 7 LSA default route is generated only when the default route exists in the routing table.
If the no-redistribution parameter is configured on the ASBR, other external routes introduced by OSPF
through the redistribute command cannot be advertised to the NSSA area. This parameter is generally
used when a router in the NSSA area acts both as the ASBR and the ABR. It prevents external routing
information from entering the NSSA area.
To further reduce the number of LSAs sent to the NSSA area, you can configure the no-summary
parameter on the ABR to prevent the ABR from sending the summary LSAs (Type 3 LSA) to the NSSA area.
area default-cost is used on an ABR or ASBR connected to the NSSA area. This command configures the
cost of the default route sent from the ABR/ASBR to the NSSA area. By default, the cost of the default route
sent to the NSSA area is 1.
If an NSSA area has two or more ABRs, the ABR with the largest router ID is elected by default as the
translator for converting Type 7 LSAs into Type 5 LSAs. If the current device is always the translator ABR for
converting Type 7 LSAs into Type 5 LSAs, use the translator always parameter.
If the translator role of the current device is replaced by another ABR, the conversion capability is retained
during the time specified by stability-interval. If the router does not become a translator again during
stability-interval, LSAs that are converted from Type 7 to Type 5 will be deleted from the AS after
stability-interval expires.
To prevent a routing loop, LSAs that are converted from Type 7 to Type 5 will be deleted from the AS
immediately after the current device loses the translator role even if stability-interval does not expire.
In the same NSSA area, it is recommended that translator always be configured on only one ABR.
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Scenario
Figure 6-10
D(config)#router ospf 1
A
A# configure terminal
A(config)#router ospf 1
A(config-router)#area 1 stubno-summary
C
C# configure terminal
C(config)#router ospf 1
C(config-router)#area 1 stub
Verification On Router C, run the show ip route ospf command to display the routing table. Verify that there is only one
default inter-area route, and no external static route is introduced from Router D.
Scenario
Figure 6-11
B(config)#router ospf 1
B(config-router)#area 2 nssa
D
D# configure terminal
D(config)#router ospf 1
D(config-router)#area 2 nssa
LS age: 61
Configuration Guide Configuring OSPFv2
LS Type: AS-NSSA-LSA
Checksum: 0xc8f8
Length: 36
TOS: 0
Metric: 20
B
B# show ip ospf database nssa-external
LS age: 314
LS Type: AS-NSSA-LSA
Checksum: 0xc8f8
Length: 36
TOS: 0
Metric: 20
LS age: 875
LS Type: AS-external-LSA
Checksum: 0xd0d3
Length: 36
TOS: 0
Metric: 20
Common Errors
Configurations of the area type are inconsistent on routers in the same area.
External routes cannot be introduced because route redistribution is configured on a router in the stub area.
Summarize routes to reduce interaction of routing information and the size of routing table, and enhance stability
of routes.
Notes
The address range of summarized routes may exceed the actual network range in the routing table. If data is sent
to a network beyond the summarization range, a routing loop may be formed and the router processing load may
increase. To prevent these problems, a discard route must be added to the routing table or shield or filter routes.
Configuration Steps
(Optional) This configuration is required when routes of the OSPF area need to be summarized.
Unless otherwise required, this configuration should be performed on an ABR in the area where routes to be
summarized are located.
(Optional) This configuration is required when routes external to the OSPF domain need to be summarized.
Unless otherwise required, this configuration should be performed on an ASBR to which routes to be summarized
are introduced.
Verification
Run the show ip route ospf command to verify that individual routes do not exist and only the summarized route exists.
Related Commands
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Configuration Guide Configuring OSPFv2
Scenario
Figure 6-12
B(config)#router ospf 1
Verification On Router A, verify that the entry 172.16.0.0/16 is added to the routing table.
A
A#show ip route ospf
Common Errors
Inter-area route summarization cannot be implemented because the area range command is configured on a
non-ABR device.
Routes that do not meet filtering conditions cannot be loaded to the routing table, or advertised to neighbors.
Network users cannot access specified destination network.
Notes
Filtering routes by using the distribute-list in command affects forwarding of local routes, but does not affect
route computation based on LSAs. Therefore, if route filtering is configured on the ABR, Type 3 LSAs will still be
generated and advertised to other areas because routes can still be computed based on LSAs. As a result,
black-hole routes are generated. In this case, you can run the area filter-list or area range (containing the
not-advertise parameter) command on the ABR to prevent generation of black-hole routes.
Configuration Steps
(Optional) This configuration is recommended if users should be restricted from accessing the network in a certain
OSPF area.
Unless otherwise required, this configuration should be performed on an ABR in the area where filtered routes are
located.
(Optional) This configuration is required if external routes introduced by the ASBR need to be filtered.
Unless otherwise required, this configuration should be performed on an ASBR to which filtered routes are
introduced.
(Optional) This configuration is required if users should be restricted from accessing a specified destination
network.
Unless otherwise required, this configuration should be performed on a router that requires route filtering.
Verification
Run the show ip route command to verify that the router is not loaded with routes that have been filtered out.
Run the ping command to verify that the specified destination network cannot be accessed.
Related Commands
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section ”Configuring OSPF Basic Functions”.
Scenario
Figure 6-13
A(config)#router ospf 1
Verification On Router A, check the routing table. Verify that only the entry 172.16.5.0/24 is loaded.
A
A# show ip route ospf
Common Errors
Filtering routes by using the distribute-list in command affects forwarding of local routes, but does not affect
route computation based on LSAs. Therefore, if route filtering is configured on the ABR, Type 3 LSAs will still be
generated and advertised to other areas because routes can still be computed based on LSAs. As a result,
black-hole routes are generated.
Change the OSPF routes to enable the traffic pass through specified nodes or avoid passing through specified
nodes.
Change the sequence that a router selects routes so as to change the priorities of OSPF routes.
Notes
If you run the ip ospf cost command to configure the cost of an interface, the configured cost will automatically
overwrite the cost that is computed based on the auto cost.
Configuration Steps
Optional.
A router is connected with lines with different bandwidths. This configuration is recommended if you wish to
preferentially select the line with a larger bandwidth.
Optional.
A router is connected with multiple lines. This configuration is recommended if you wish to manually specify a
preferential line.
Optional.
This configuration is mandatory if the cost of external routes of the OSPF domain should be specified when
external routes are introduced to an ASBR.
Optional.
A router may be unstable during the restart process or a period of time after the router is restarted, and users do
not want to forward data through this router. In this case, this configuration is recommended.
Configuration Guide Configuring OSPFv2
Configuring the AD
Optional.
This configuration is mandatory if you wish to change the priorities of OSPF routes on a router that runs multiple
unicast routing protocols.
Verification
Run the show ip ospf interface command to verify that the costs of interfaces are correct.
Run the show ip route command to verify that the costs of external routes introduced to the ASBR are correct.
Restart the router. Within a specified period of time, data is not forwarded through the restarted router.
Related Commands
Configuring RFC1583Compatibility
Command compatible rfc1583
Parameter N/A
Description
Command OSPF routing process configuration mode
Mode
Usage Guide When there are multiple paths to an ASBR or the forwarding address of an external route, RFC1583 and
RFC2328 define different routing rules. If RFC1583 compatibilityis configured, a path in the backbone area
or an inter-area path is preferentially selected. If RFC1583 compatibilityis not configured, a path in a
non-backbone area is preferentially selected.
Configuring the AD
Command distance { distance | ospf { [ intra-areadistance] [inter-areadistance][ external distance]} }
Parameter distance: Indicates the AD of a route. The value ranges from 1 to 255.
Configuration Guide Configuring OSPFv2
Description intra-area distance: Indicates the AD of an intra-area route. The value ranges from 1 to 255.
inter-area distance: Indicates the AD of an inter-area route. The value ranges from 1 to 255.
external distance: Indicates the AD of an external route. The value ranges from 1 to 255.
Command OSPF routing process configuration mode
Mode
Usage Guide Use this command to specify different ADs for different types of OSPF routes.
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Verification On Router A, check the routing table. The next hop of the optimum path to 172.16.1.0/24 is Router B.
A
A# show ip route ospf
Common Errors
If the cost of an interface is set to 0 in the ip ospf cost command, a route computation error may occur. For
example, a routing loop is obtained.
All routers connected to the OSPF network must be authenticated to ensure stability of OSPF and protect OSPF
against intrusions.
Notes
If authentication is configured for an area, the configuration takes effect on all interfaces that belong to this area.
If authentication is configured for both an interface and the area to which the interface belongs, the configuration
for the interface takes effect preferentially.
Configuration Steps
(Optional) This configuration is recommended if the same authentication type should be used on all interfaces in
the same area.
(Optional) This configuration is recommended if the different authentication types should be used on different
interfaces in the same area.
Optional.
This configuration is required if a router accesses a network that requires plain text authentication.
(Optional) MD5 authentication features a high security, and therefore is recommended. You must configure either
plain text authentication or MD5 authentication.
This configuration is required if a router accesses a network that requires MD5 authentication.
Verification
If routers are configured with different authentication keys, run the show ip ospf neighbor command to verify that
there is no OSPF neighbor.
Configuration Guide Configuring OSPFv2
If routers are configured with the same authentication key, run the show ip ospf neighbor command to verify that
there are OSPF neighbors.
Related Commands
Mode
Usage Guide The key configured by the ip ospf authentication-key command will be inserted to the headers of all OSPF
packets. If the keys are inconsistent, two directly connected devices cannot set up the OSPF adjacency and
therefore cannot exchange the routing information.
Different keys can be configured for different interface, but all routers connected to the same physical
network segment must be configured with the same key.
You can enable or disable authentication in an OSPF area by running the areaauthentication command in
OSPF routing process configuration mode.
You can also enable authentication on an individual interface by running the ip ospf authentication
command in interface configuration mode. When authentication is configured for both an interface and the
area to which the interface belongs, the authentication type configured for the interface is used
preferentially.
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Configuration Guide Configuring OSPFv2
Scenario
Figure 6-15
A(config)#router ospf 1
A(config-router)#exit
B
B# configure terminal
B(config)#router ospf 1
B(config-router)#exit
Verification On Router A and Router B, verify that the OSPF neighbor status is correct.
A
A#show ip ospf neighbor
B
A#show ip ospf neighbor
Common Errors
Configuration Guide Configuring OSPFv2
New routes are not loaded to routers when the router memory is insufficient.
New routes are not loaded to routers when the usage of the database space reaches the upper limit.
Notes
After a router enters the overflow state, you can run the clear ip ospf process command, or stop and then restart
the OSPF to exit the overflow state.
Configuration Steps
Optional.
This configuration is recommended if a large number of routes exist in the domain and may cause insufficiency of
the router memory.
Optional.
This configuration is recommended if a large number of routes exist in the domain and may cause insufficiency of
the router memory.
Optional.
This configuration is recommended if the ASBR introduces a large number of external routes and the router
memory may be insufficient.
Verification
After the memory becomes insufficient, add new routers to the network, and run the show ip route command to
verify that new routes are not loaded.
After the usage of the database space reaches the upper limit, add new routers to the network, and run the show
ip route command to verify that new routes are not loaded.
Related Commands
Parameter N/A
Description
Command OSPF routing process configuration mode
Mode
Usage Guide The OSPF process enters the overflow state to discard newly-learned external routes. This behavior can
effectively ensure that the memory usage does not increase.
After the overflow function is enabled, the OSPF process enters the overflow state and discards
newly-learned external routes, which may cause a routing loop on the entire network. To reduce the
occurrence probability of this problem, OSPF generates a default route to the null interface, and this route
always exists in the overflow state.
You can run the clear ip ospf process command to reset the OSPF process so that the OSPF process can
exit the overflow state. You can use the no form of the command to prevent the OSPF process from entering
the overflow state when the memory is insufficient. This, however, may lead to over-consumption of the
memory resource, after which the OSPF process will stop and delete all the learned routes.
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
A
A# configure terminal
Verification On Router B, configure 11 static routes (192.100.1.0/24 to 192.100.11.0/24). On Router A, verify that only
10 static routes are loaded.
Configuration Guide Configuring OSPFv2
A
A# show ip route ospf
Common Errors
The OSPF adjacency is abnormal because the maximum number of LSAs is inconsistent on different routers.
Control the maximum number of concurrent neighbors on the OSPF process to ease the pressure on the device.
Notes
Configuration Steps
(Optional) This configuration is recommended if you wish to set up the OSPF adjacencymore quickly when a
router is connected with a lot of other routers.
Verification
Run the show ip ospf neighbor command to display the number of neighbors that are concurrently interacting
with the OSPF process.
Related Commands
Command max-concurrent-ddnumber
Parameter number: Specifies the maximum number of neighbors that are concurrently interacting with the OSPF
Description process. The value ranges from 1 to 65,535.
Command OSPF routing process configuration mode
Mode
Usage Guide When the performance of a router is affected because the router exchanges data with multiple neighbors,
you can configure this command to restrict the maximum of neighbors with which one OSPF process can
concurrently initiates or accepts interaction.
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Core
Core# configure terminal
Verification On therouter Core, check the neighbor status and verify that at most eight neighbors concurrently interact
with the OSPF process.
The unicast routing service can be provided even if the interface IP addresses of neighbor routers are not in the
same network segment.
Notes
Configuration Steps
(Optional) This configuration is mandatory if an adjacency should be set up between routers with interface IP
addresses in different network segments.
This configuration is performed on routers with interface IP addresses in different network segments.
Verification
Related Commands
verification fails. For example, the negotiated peer address cannot be obtained on a P2P link. In this
scenario, source address verification must be disabled to ensure that the OSPF adjacency can be properly
set up.
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
B
B# configure terminal
The unicast routing service can be provided even if the MTUs of interfaces on neighbor routers are different.
Notes
Configuration Steps
(Optional) MTU verification is disabled by default. You are advised to retain the default configuration.
Verification
Related Commands
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Scenario
Figure 6-19
A
A# configure terminal
B
B# configure terminal
Notes
Configuration Steps
(Optional) This function is enabled by default. You are advised to retain the default configuration.
Verification
Related Commands
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Scenario
Figure 6-20
A(config)#routerospf 1
A(config-router)#two-way-maintain
Verification When the adjacency is being set up, Router A checks the neighbor dead interval and updates the dead
interval without waiting for Router B to send a Hello packet.
A
A# show ip ospfneighbor
6.4.14 Enabling GR
Configuration Effect
When a distributed router switches services from the active board to the standby board, data forwarding continues
and is not interrupted.
Configuration Guide Configuring OSPFv2
When the OSPF process is being restarted, data forwarding continues and is not interrupted.
Notes
The grace period cannot be shorter than the neighbor dead time of the neighbor router.
Configuration Steps
(Optional) This function is enabled by default. You are advised to retain the default configuration.
(Optional) This function is enabled by default. You are advised to retain the default configuration.
Verification
When a distributed router switches services from the active board to the standby board, data forwarding continues
and is not interrupted.
When the OSPF process is being restarted, data forwarding continues and is not interrupted.
Related Commands
The precondition for successful execution of GR and uninterrupted forwarding is that the topology remains
stable.If the topology changes, OSPF quickly converges without waiting for further execution of GR, thus
avoiding long-time forwarding black-hole.
Disabling topology detection: If OSPF cannot converge in time when thetopology changes during the hot
standby process, forwarding black-hole may appear in a long time.
Enabling topology detection: Forwarding may be interrupted when topology detection is enabled, but the
interruption time is far shorter than that when topology detection is disabled.
In most cases, it is recommended that topology detection be enabled. In special scenarios, topology
detection can be disabled if the topology changes after the hot standby process, but it can be ensured that
the forwarding black-hole will not appearin a long time. This can minimize the forwarding interruption time
during the hot standby process.
If the Fast Hello function is enabled, the GR function cannot be enabled.
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Configuration Guide Configuring OSPFv2
Scenario
Figure 6-21
B(config-router)# graceful-restart
Verification Trigger a hot standby switchover on Router B, and verify that the routing tables of destination networks
1 and 2 remain unchanged on Router A during the switchover.
Trigger a hot standby switchover on Router B, ping destination network 1 from Router A, and verify that
data forwarding is not interrupted during the switchover.
Common Errors
Traffic forwarding is interrupted during the GR process because the configured grace period is shorter than the
neighbor dead time of the neighbor router.
Use the network management software to manage OSPF parameters and monitor the OSPF running status.
Configuration Guide Configuring OSPFv2
Notes
You must enable the MIB function of the SNMP-Server before enabling the OSPF MIB function.
You must enable the Trap function of the SNMP-Server before enabling the OSPF Trap function.
You must enable the logging function of the device before outputting the OSPF logs.
Configuration Steps
(Optional) This configuration is required if you want to use the network management software to manage
parameters of a specified OSPF process.
(Optional) This configuration is required if you want to use the network management software to monitor the OSPF
running status.
(Optional) This function is enabled by default. You are advised to retain the default configuration. If you want to
reduce the log output, disable this function.
Verification
Use the network management software to monitor the OSPF running status.
Related Commands
Mode
Usage Guide N/A
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
Scenario
Figure 6-22
Verification Use the MIB tool to read and set the OSPF parameters and display the OSPF running status.
Common Errors
Configurations on the SNMP-Server are incorrect. For example, the MIB or trap function is not enabled.
Notes
The neighbor dead time cannot be shorter than the Hello interval.
Configuration Guide Configuring OSPFv2
Configuration Steps
(Optional) You are advised to retain the default configuration. This configuration can be adjusted if you wish to
accelerate OSPF convergence when a link fails.
(Optional) You are advised to adjust this configuration if a lot of routes exist in the user environment and network
congestion is serious.
(Optional) You are advised to retain the default configuration. This configuration can be adjusted if a lot of routes
exist in the user environment.
Verification
Run the show ip ospfandshow ip ospf neighbor commands to display the protocol running parameters and status.
Related Commands
Configuration Guide Configuring OSPFv2
Description This interval must be longer than the round-trip transmission delay of data packets between two neighbors.
Command Interface configuration mode
Mode
Usage Guide After a router finishes sending an LSU packet, this packet is still kept in the transmit buffer queue. If an
acknowledgment from the neighbor is not received within the time defined by the ip ospf
retransmit-interval command, the router retransmits the LSU packet.
The retransmission delay can be set to a greater value on a serial line or virtual link to prevent unnecessary
retransmission. The LSU retransmission delay of a virtual link is defined by the retransmit-interval
parameter in the area virtual-link command.
are 40 to 100 LSAs, you can set the pacing interval to 10-20 minutes.
spf-holdtime: Indicates the minimum interval between two SPF computations. The unit is ms. The value
ranges from 1 to 600,000.
spf-max-waittime: Indicates the maximum interval between two SPF computations. The unit is ms. The
value ranges from 1 to 600,000.
number: indicates the metric of the summarized route.
Command OSPF routing process configuration mode
Mode
Usage Guide spf-delay indicates the minimum time between the occurrence of the topological change and the start of
SPF computation. spf-holdtime indicates the minimum interval between the first SPF computation and the
second SPF computation. After that, the interval between two SPF computations must be at least twice of
the previous interval. When the interval reaches spf-max-waittime, the interval cannot increase again. If
the interval between two SPF computations already exceeds the required minimum value, the interval is
computed by starting from spf-holdtime.
You can set spf-delay and spf-holdtime to smaller values to accelerate topology convergence, and set
spf-max-waittime to a larger value to reduce SPF computation. Flexible settings can be used based on
stability of the network topology.
Compared with the timers spf command, this command supports more flexible settings to accelerate the
convergence speed of SPF computation and further reduce the system resources consumed by SPF
computation when the topology continuously changes. Therefore, you are advised to use the timers throttle
spf command for configuration.
1. The value of spf-holdtime cannot be smaller than the value of spf-delay; otherwise, spf-holdtime will
be automatically set to the value of spf-delay.
2. The value of spf-max-waittime cannot be smaller than the value of spf-holdtime; otherwise,
spf-max-waittime will be automatically set to the value of spf-holdtime.
3. The configurations of timers throttle spf and timers spf are mutually overwritten.
4. When both timers throttle spf and timers spf are not configured, the default values of timers
throttle spf prevail.
Configuration Example
The following configuration examples assume that the OSPF basic functions have been configured. For details about
the OSPF basic functions, see section “Configuring OSPF Basic Functions”.
B
B# configure terminal
Verification Check the interface parameters on Router A. Verify that the Hello interval is 10s and the dead interval is 50s.
A
A# show ip ospf interface
Timer intervals configured, Hello 15, Dead 50, Wait 40, Retransmit 5
Common Errors
The configured neighbor dead time is shorter than the Hello interval.
6.5 Monitoring
Clearing
Configuration Guide Configuring OSPFv2
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears and resets an OSPF process. clear ip ospf [ process-id] process
Displaying
Description Command
Displays the OSPF process show ip ospf [ process-id ]
configurations.
Displays the OSPF internal routing show ip ospf[ process-id ] border-routers
table, including routes to ABRs and
ASBRs.
Displays information about the OSPF show ip ospf [ process-id area-id] database [{ asbr-summary | external | network |
LSDB. nssa-external | opaque-area | opaque-as | opaque-link | router |
summary }][ { adv-router ip-address| self-originate } |link-state-id |
brief ][ database-summary | max-age | detail]
Displays OSPF-enabled interfaces. show ip ospf [ process-id ] interface [ interface-type interface-number | brief ]
Displays the OSPF neighbor list. show ip ospf [ process-id ] neighbor [ detail ] [ interface-typeinterface-number ]
[ neighbor-id ]
Displays the OSPF routing table. show ip ospf [ process-id ] route[ count ]
Displays the number of times SPT is show ip ospf [ process-id ] spf
computed in the OSPF area.
Displays the summarized route of show ip ospf[ process-id ] summary-address
OSPF redistributed routes.
Displays OSPF virtual links. show ip ospf [ process-id ] virtual-links [ ip-address]
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs OSPF events. debug ip ospf events [abr|asbr|lsa|nssa|os|restart| router|slink| vlink]
Debugs OSPF interfaces. debug ip ospf ifsm [events|status|timers]
Debugs OSPF neighbors. debug ip ospf nfsm [events | status | timers]
Debugs the OSPF NSM. debug ip ospf nsm [interface | redistribute | route]
Debugs OSPF LSAs. debug ip ospf lsa [flooding | generate | install | maxage | refresh]
Debugs OSPF packets. debug ip ospf packet [dd|detail|hello|ls-ack|ls-request|ls-update|recv|send]
Debugs OSPF routes. debug ip ospf route [ase | ia | install | spf | time]
Configuration Guide Configuring OSPFv3
7 Configuring OSPFv3
7.1 Overview
Open Shortest Path First (OSPF) is an Interior Gateway Protocol (IGP) that is used within the Autonomous System (AS) to
allow routers to obtain a route to a remote network.
OSPF Version 2 (OSPFv2) is applicable to IPv4, and OSPF Version 3 (OSPFv3) is applicable to IPv6. The protocol
running mechanism and most configurations are the same.
Wide scope of application: OSPF is applicable to a larger-scale network that supports hundreds of routers.
Fast convergence: Once the network topology changes, notifications can be quickly sent between routers to update
routes.
No self-loop: Only the link status information is synchronized between routers. Each router computes routes
independently, and a self-loop will not occur.
Area division: A large routing domain is divided into multiple small areas to save system resources and network
bandwidth and ensure stability and reliability of routes.
Route classification: Routes are classified into several types to support flexible control.
Multicast transmission: Protocol packets are sent using the multicast address to avoid interfering with irrelevant entities
and save system resources.
In this chapter, the term "router" refers to any network device that supports the routing function. These network devices
can be L3 switches, routers, or firewall.
Unless otherwise specified, "OSPF" in the following descriptions refers to OSPFv3.
RFC2740 This document describes the modifications to OSPF to support version 6 of the Internet
Protocol (IPv6).
draft-ietf-ospf-ospfv This document describes the OSPFv3 graceful restart. The OSPFv3 graceful restart is identical
3-graceful-restart to OSPFv2 except for the differences described in this document. These differences include the
format of the grace Link State Advertisements (LSA) and other considerations.
draft-ietf-ospf-ospfv This memo defines a portion of the Management Information Base (MIB) for use with network
3-mib-11 management protocols in IPv6-based internets. In particular, it defines objects for managing the
Open Shortest Path First Routing Protocol for IPv6.
Configuration Guide Configuring OSPFv3
7.2 Applications
Application Description
Intra-Domain Interworking OSPF runs within the AS, which is divided into several areas.
OSPF runs within the AS. If the number of routers exceeds 40, it is recommended that the AS be divided into several areas.
Generally, high-end devices featuring reliable performance and fast processing speed are deployed in a backbone area, and
low-end or medium-range devices with relatively lower performance can be deployed in a normal area. All normal areas must
be connected to the backbone area. It is recommended that a normal area located on the stub be configured as a stub area.
As shown in Figure 7-1, the network is divided into four areas. Communication between these areas must go through the
backbone area, that is, area 0.
Remark A, B, C, D, E, and H are located in the backbone area, and are backbone routers.
s Area 3 is configured as a stub area.
Deployment
7.3 Features
Basic Concepts
Routing Domain
All routers in an AS must be interconnected and use the same routing protocol. Therefore, an AS is also called a routing
domain.
An AS on which OSPF runs is also called OSPF routing domain, or OSPF domain for short.
OSPF Process
OSPF supports multiple instances, and each instance corresponds to an OSPF process.
One or more OSPF processes can be started on a router. Each OSPF process runs OSPF independently, and the processes
are mutually isolated.
An OSPF packet header contains the Instance ID field, and multiple OSPF instances can run concurrently on a single link.
The process ID is valid only on the local device.
RouterID
The router ID uniquely identifies a router in an OSPF domain. Router IDs of any two routers cannot be the same.
If multiple OSPF processes exist on a router, each OSPF process uses one router ID. Router IDs of any two OSPF
processes cannot be the same.
Area
OSPF supports multiple areas. An OSPF domain is divided into multiple areas to ease the computing pressure of a
large-scale network.
An area is a logical group of routers, and each group is identified by an area ID. The border between areas is a router. A
router may belong to one area or multiple areas. One network segment (link) can belong to only one area, or each
OSPF-enabled interface must belong to a specified area.
Area 0 is the backbone area, and other areas are normal areas. Normal areas must be directly connected to the backbone
area.
Figure 7-2 Division of the OSPF Areas
Configuration Guide Configuring OSPFv3
OSPF Router
The following types of routers are defined in OSPF, and assigned with different responsibilities:
Internal router
All interface of an interval router belong to the same OSPF area. As shown in Figure 7-2, A, C, F, G, I, M, J, K, and L
are internal routers.
Area border router (ABR)
An ABR is used to connect the backbone area with a normal area. An ABR belongs to two or more areas, and one of
the areas must be the backbone area. As shown in Figure 7-2, B, D, E, and H are ABRs.
Backbone router
A backbone router has at least one interface that belongs to the backbone area. All ABRs and all routers in area 0 are
backbone routers. As shown in Figure 7-2, A, B, C, D, E, and H are backbone routers.
AS boundary router (ASBR)
An ASBR is used to exchange routing information with other ASs. An ASBR is not necessarily located on the border of
an AS. It may be a router inside an area, or an ABR. As shown in Figure 7-2, A is an ASBR.
Virtual Link
OSPF supports virtual links. A virtual link is a logical link that belongs to the backbone area. It is used to resolve the problems
such as a discontinuous backbone area or a failure to directly connect a normal area to the backbone area on the physical
network. A virtual link supports traversal of only one normal area, and this area is called transit area. Routers on both ends of
a virtual link are ABRs.
Figure 7-3 Discontinuous Backbone Area on the Physical Network
Configuration Guide Configuring OSPFv3
As shown in Figure 7-3, a virtual link is set up between A and B to connect two separated parts of Area 0. Area 1 is a transit
area, and A and B are ABRs of Area 1.
Figure 7-4 Failure to Directly Connect a Normal Area to the Backbone Area on the Physical Network
As shown in Figure 7-4, a virtual link is set up between A and B to extend Area 0 to B so that Area 0 can be directly
connected to Area 2 on B. Area 1 is a transit area, A is an ABR of Area 1, and B is an ABR of Area 0 and Area 2.
LSA
OSPF describes the routing information by means of Link State Advertisement (LSA).
LSA Type Description
Router-LSA(Type1) This LSA is originated by every router. It describes the link state and cost of the
router, and is advertised only within the area where the originating router is located.
Network-LSA(Type2) This LSA is originated by a designated router (DR). It describes the state of the
current link, and is advertised only within the area where the DR is located.
Inter-Area-Prefix-LSA(Type3) This LSA is originated by an ABR. It describes a route to another area, and is
advertised to areas except totally stub areas or Not-So-Stubby Area (NSSA) areas.
Inter-Area-Router-LSA(Type4) This LSA is originated by an ABR. It describes a route to an ASBR, and is
advertised to areas except areas where the ASBR is located.
AS-external-LSA(Type5) This LSA is originated by an ABR. It describes a route to a destination outside the
AS, and is advertised to all areas except the stub and NSSA areas.
NSSA LSA(Type7) This LSA is originated by an ABR. It describes a route to a destination outside the
AS, and is advertised only within the NASSA areas.
Link-LSA(Type8) This LSA is originated by every router. It describes the link-local address and IPv6
prefix address of each link, and provides the link option that will be set in the
Configuration Guide Configuring OSPFv3
Stub areas, NSSA areas, totally stub areas, and totally NSSA areas are special forms of normal areas and help reduce
the load of routers and enhance reliability of OSPF routes.
OSPF Packet
The following table lists the protocol packets used by OSPF. These OSPF packets are encapsulated in IP packets and
transmitted in multicast or unicast mode.
Packet Type Description
Hello Hello packets are sent periodically to discover and maintain OSPF neighbor
relationships.
Database Description (DD) DD packets carry brief information about the local Link-State Database (LSDB) and
are used to synchronize the LSDBs between OSPF neighbors.
Link State Request (LSR) LSR packets are used to request the required LSAs from neighbors. LSR packets
are sent only after DD packets are exchanged successfully between OSPF
neighbors.
Link State Update (LSU) LSU packets are used to send the required LSAs to peers.
Link State Acknowledgment LSAck packets are used to acknowledge the received LSAs.
(LSAck)
Overview
Feature Description
Link-State Routing Run OSPF on the router to obtain routes to different destinations on the network.
Protocols
OSPF Route Properly plan or optimize OSPF routes through manual configuration to implement
Management management of OSPF routes.
Enhanced Security Use functions such as authentication to enhance security, stability, and reliability of OSPF.
and Reliability
Network Use functions such as the MIB and Syslog to facilitate OSPF management.
Management
Functions
Working Principle
Routers send Hello packets through all OSPF-enabled interfaces (or virtual links). If Hello packets can be exchanged
between two routers, and parameters carried in the Hello packets can be successfully negotiated, the two routers become
neighbors. Routers that are mutually neighbors find their own router IDs from Hello packets sent from neighbors, and
bidirectional communication is set up.
A Hello packet includes, but is not limited to, the following information:
Neighbor dead interval of the originating router interface (or virtual link)
After bidirectional communication is set up between neighbor routers, the DD, LSR, LSU, and LSAck packets are used to
exchange LSAs and set up the adjacency. The brief process is as follows:
The LSA is exchanged between neighbors. When a router receives the LSA from its neighbor, it copies the LSA and
saves the copy in the local LSDB, and then advertises the LSA to other neighbors.
When the router and its neighbors obtain the same LSDB, full adjacency is achieved.
OSPF will be very quiet without changes in link costs or network addition or deletion. If any change takes place, the
changed link states are advertised to quickly synchronize the LSDB.
After the complete LSDB is obtained from the router, the Dijkstra algorithm is run to generate an SPT from the local router to
each destination network. The SPT records the destination networks, next-hop addresses, and costs. OSPF generates a
routing table based on the SPT.
If changes in link costs or network addition or deletion take place, the LSDB will be updated. The router again runs the
Dijkstra algorithm, generates a new SPT, and updates the routing table.
The Dijkstra algorithm is used to find a shortest path from a vertex to other vertices in a weighted directed graph.
A router does not necessarily need to exchange LSAs with every neighbor and set up an adjacency with every neighbor. To
improve efficiency, OSPF classifies networks that use various link layer protocols into five types so that LSAs are exchanged
in different ways to set up an adjacency:
Broadcast
The DR (or BDR) exchanges LSAs with all other routers to set up an adjacency. Except the DR and BDR, all other
routers do not exchange LSAs with each other, and the adjacency is not set up.
Ethernet and fiber distributed data interface (FDDI) belong to the broadcast network type by default.
Neighbors are manually configured, and the DR and BDR are elected.
The DR (or BDR) exchanges LSAs with all other routers to set up an adjacency. Except the DR and BDR, all other
routers do not exchange LSAs with each other, and the adjacency is not set up.
Point-to-point (P2P)
LSAs are exchanged between routers at both ends of the link, and the adjacency is set up.
PPP, HDLC, and LAPB belong to the P2P network type by default.
Point-to-multipoint(P2MP)
LSAs are exchanged between any two routers, and the adjacency is set up.
Networks without any link layer protocol belong to the P2MP network type by default.
P2MP broadcast
LSAs are exchanged between any two routers, and the adjacency is set up.
Networks without any link layer protocol belong to the P2MP network type by default.
Figure 7-5
Display the OSPF routes (marked in red) in the routing table of Router C.
O - OSPF intra area, OI - OSPF inter area, OE1 - OSPF external type 1, OE2 - OSPF external type 2
ON1 - OSPF NSSA external type 1, ON2 - OSPF NSSA external type 2
The XS-S1960-H series switch do not support ISIS or BGP. The configuration example is only for reference.
A mark is displayed in front of each OSPF route to indicate the type of the route. There are six types of OSPF routes:
O: Intra-area route
Configuration Guide Configuring OSPFv3
This type of route describes how to arrive at a destination network in the local area. The cost of this type of route is
equal to the cost of the route from the local router to the destination network.
This type of route describes how to arrive at a destination network in another area. The cost of this type of route is equal
to the cost of the route from the local router to the destination network.
This type of route describes how to arrive at a destination network outside the AS. The cost of this type of route is equal
to the cost of the route from the local router to the ASBR plus the cost of the route from the ASBR to the destination
network. This type of route does not exist on routers in the stub or NSSA area.
This type of route describes how to arrive at a destination network outside the AS. The cost of this type of route is equal
to the cost of the route from the ASBR to the destination network. This type of route does not exist on routers in the stub
or NSSA area.
This type of route describes how to arrive at a destination network outside the AS through the ASBR in the NSSA area.
The cost of this type of route is equal to the cost of the route from the local router to the ASBR plus the cost of the route
from the ASBR to the destination network. This type of route exists only on routers in the NSSA area.
This type of route describes how to arrive at a destination network outside the AS through the ASBR in the NSSA area.
The cost of this type of route is equal to the cost of the route from the ASBR to the destination network. This type of
route exists only on routers in the NSSA area.
Reliability of OE2 and ON2 routes is poor. OSPF believes that the cost of the route from the ASBR to a destination
outside an AS is far greater than the cost of the route to the ASBR within the AS. Therefore, when the route cost is
computed, only the cost of the route from the ASBR to a destination outside an AS is considered.
Related Configuration
Enabling OSPF
Router ID
By default, the OSPF process elects the largest IPv4 address among the IPv4 addresses of all the loopback interfaces as the
router ID. If the loopback interfaces configured with IPv4 addresses are not available, the OSPF process elects the largest
IPv4 address among the IPv4 addresses of all the physical ports as the router ID.
Alternatively, you can run the router-id command to manually specify the router ID.
Configuration Guide Configuring OSPFv3
Run the ipv6 ospf hello-interval command to modify the Hello interval on the interface. The default value is 10s (or 30s for
NBMA networks).
Run the ipv6 ospf dead-interval command to modify the neighbor dead interval on the interface. The default value is four
times the Hello interval.
Use the poll-interval parameter in the ipv6 ospf neighbor command to modify the neighbor polling interval on the NBMA
interface. The default value is 120s.
Run the ipv6 ospf transmit-delay command to modify the LSU packet transmission delay on the interface. The default
value is 1s.
Run the ipv6 ospf retransmit-interval command to modify the LSU packet retransmission interval on the interface. The
default value is 5s.
Use the hello-interval parameter in the area virtual-link command to modify the Hello interval on the virtual link. The default
value is 10s.
Use the dead-interval parameter in the area virtual-link command to modify the neighbor dead interval on the virtual link.
The default value is four times the Hello interval.
Use the transmit-delay parameter in the area virtual-link command to modify the LSU packet transmission delay on the
virtual link. The default value is 1s.
Use the retransmit-interval parameter in the area virtual-link command to modify the LSU packet retransmission interval
on the virtual link. The default value is 5s.
Run the timers throttle lsa all command to modify parameters of the exponential backoff algorithm that generates LSAs.
The default values of these parameters are 0 ms, 5000 ms, and 5000 ms.
Run the timers pacing lsa-group command to modify the LSA group update interval. The default value is 30s.
Run the timers pacing lsa-transmit command to modify the LS-UPD packet sending interval and the number of sent
LS-UPD packets. The default values are 40 ms and 1.
Run the timers lsa arrival command to modify the delay after which the same LSA is received. The default value is 1000 ms.
Run the timers throttle spf command to modify the SPT computation delay, minimum interval between two SPT
computations, and maximum interval between two SPT computations. The default values are 1000 ms, 5000 ms, and 10000
ms.
By default, Ethernet and FDDI belong to the broadcast type, X.25, frame relay, and ATM belong to the NBMA type, and PPP,
HDLC, and LAPB belong to the P2P type.
Run the ipv6 ospf network command to manually specify the network type of an interface.
Run the ipv6 ospf neighbor command to manually specify a neighbor. For the NBMA and P2MP non-broadcast types, you
must manually specify neighbors.
Run the ipv6 ospf priority command to adjust the priorities of interfaces, which are used for DR/BDR election. The DR/BDR
election is required for the broadcast and NBMA types. The router with the highest priority wins in the election, and the router
with the priority of 0 does not participate in the election. The default value is 1.
Configuration Guide Configuring OSPFv3
Working Principle
The (totally) stub and (totally) NSSA areas help reduce the protocol interaction load and the size of the routing table.
If an appropriate area is configured as a (totally) stub or NSSA area, advertisement of a large number of Type 5 and
Type 3 LSAs can be avoided within the area.
The ABR uses Type 3 LSAs to advertise a default route to the (totally) stub or NSSA area.
The ABR converts Type 7 LSAs in the totally NSSA area to Type 5 LSAs, and advertise Type 5 LSAs to the backbone
area.
If an area is appropriately configured as a (totally) stub area or an NSSA area, a large number of OE1, OE2, and OI
routes will not be added to the routing table of a router in the area.
Area Routes Available in the Routing Table of a Router Inside the Area
Non (totally) stub area and O: a route to a destination network in the local area
NSSA area OI: a route to a destination network in another area
OE1 or OE2: a route or default route to a destination network segment outside the AS
(via any ASBR in the AS)
Stub area O: a route to a destination network in the local area
OI: a route or a default route to a destination network in another area
Totally stub area O: a route to a destination network in the local area
OI: a default route
NSSA area O: a route to a destination network in the local area
OI: a route or a default route to a destination network in another area
ON1 or ON2: a route or default route to a destination network segment outside the AS
(via an ASBR in the local area)
Configuration Guide Configuring OSPFv3
Area Routes Available in the Routing Table of a Router Inside the Area
Totally NSSA area O: a route to a destination network in the local area
OI: a default route
ON1 or ON2: a route or default route to a destination network segment outside the AS
(via an ASBR in the local area)
Route Redistribution
Route redistribution refers to the process of introducing routes of other routing protocols, routes of other OSPF processes,
static routes, and direct routes that exist on the device to an OSPF process so that these routes can be advertised to
neighbors using Type 5 and Type 7 LSAs. A default route cannot be introduced during route redistribution.
Route redistribution is often used for interworking between ASs. You can configure route redistribution on an ASBR to
advertise routes outside an AS to the interior of the AS, or routes inside an AS to the exterior of the AS.
By configuring a command on an ASBR, you can introduce a default route to an OSPF process so that the route can be
advertised to neighbors using Type 5 and Type 7 LSAs.
Default route introduction is often used for interworking between ASs. One default route is used to replace all the routes
outside an AS.
Route Summarization
Route summarization is a process of summarizing routing information with the same prefix into one route, and advertising the
summarized route (replacing a large number of individual routes) to neighbors. Route summarization helps reduce the
protocol interaction load and the size of the routing table.
By default, the ABR advertises inter-area routing information by using Type3 LSAs within a network segment, and advertises
redistributed routing information by using Type 5 and Type 7 LSAs.If continuous network segments exist, it is recommended
that you configure route summarization.
Route Filtering
OSPF supports route filtering to ensure security and facilitate control when the routing information is being learned,
exchanged, or used.
Using configuration commands, you can configure route filtering for the following items:
Interface: The interface is prevented from sending routing information (any LSAs) or exchanging routing information
(any LSAs) with neighbors.
Routing information outside an AS: Only the routing information that meets the filtering conditions can be redistributed
to the OSPF process (Type 5 and Type 7 LSAs).
LSAs received by a router: In the OSPF routing table, only the routes that are computed based on the LSAs meeting the
filtering conditions can be advertised.
Route Cost
Configuration Guide Configuring OSPFv3
If redundancy links or devices exist on the network, multiple paths may exist from the local device to the destination network.
OSPF selects the path with the minimum total cost to form an OSPF route. The total cost of a path is equal to the sum of the
costs of individual links along the path.The total cost of a path can be minimized by modifying the costs of individual links
along the path. In this way, OSPF selects this path to form a route.
Using configuration commands, you can modify the following link costs:
Cost from an interface to a directly connected network segment and cost from the interface to a neighbor
Cost from an ASBR to an external network segment and cost from the ASBR to the default network segment
Both the cost and the metric indicate the cost and are not differentiated from each other.
The administrative distance (AD) evaluates reliability of a route, and the value is an integer ranging from 0 to 255. A smaller
AD value indicates that the route is more trustworthy. If multiples exist to the same destination, the route preferentially selects
a route with a smaller AD value. The route with a greater AD value becomes a floating route, that is, a standby route of the
optimum route.
By default, the route coming from one source corresponds to an AD value. The AD value is a local concept. Modifying the AD
value affects route selection only on the current router.
Route Directly-connecte Static OSPF RIP Unreachabl
Source d network route Route Route e Route
Default 0 1 110 120 255
AD
Related Configuration
Stub Area
Run the area stub command to configure a specified area as a stub area.
By default, routes are not redistributed and the default route is not introduced.
After configuring route redistribution and default route introduction, the router automatically becomes an ASBR.
Route Summarization
Configuration Guide Configuring OSPFv3
By default, routes are not summarized. If route summarization is configured, a discard route will be automatically added.
Run the area range command to summarize routes (Type 3 LSA) distributed between areas on the ABR.
Run the summary-prefix command to summarize redistributed routes (Type 5 and Type 7 LSAs) on the ASBR.
Route Filtering
Run the passive-interface command to configure a passive interface. Routing information (any LSAs) cannot be exchanged
on a passive interface.
Use the route-map parameter in the redistribute command, or use the distribute-list out command to filter the external
routing information of the AS on the ASBR. Only the routing information that meets the filtering conditions can be
redistributed to the OSPF process (Type 5 LSAs).
Run the distribute-list in command to filter LSAs received by the router. In the OSPF routing table, only the routes that are
computed based on the LSAs meeting the filtering conditions can be advertised.
Route Cost
Cost from the interface to the directly-connected network segment (cost on the interface)
The default value is the auto cost. Auto cost = Reference bandwidth/Interface bandwidth
Run the auto-cost reference-bandwidth command to set the reference bandwidth of the auto cost. The default value
is 100 Mbps.
Run the ipv6 ospf cost command to manually set the cost of the interface. The configuration priority of this item is
higher than that of the auto cost.
Cost from the interface to a specified neighbor (that is, cost from the local device to a specified neighbor)
The default value is the auto cost.
Use the cost parameter in the ipv6 ospf neighbor command to modify the cost from the interface to a specified
neighbor. The configuration priority of this item is higher than that of the cost of the interface.
This configuration item is applicable only to P2MP-type interfaces.
Cost from the ABR to the default network segment (that is, the cost of the default route that is automatically advertised
by the ABR to the stub or NSSA areas)
The default value is 1.
Run the area default-cost command to modify the cost of the default route that the ABR automatically advertise to the
stub areas.
Cost from the ASBR to an external network segment (that is, the metric of an external route)
By default, the metric of other types of redistributed routes is 20, and the route type is Type 2 External.
Run the default-metric command to modify the default metric of the external route.
Use the metric,metric-type, and route-map parameters in the redistribute command to modify the metric and route
type of the external route.
Cost from the ASBR to the default network segment (that is, the metric of the default route that is manually introduced)
By default, the metric is 1, and the route type is Type 2 External.
Use the metric,metric-type, and route-map parameters in the default-information originate command to modify the
Configuration Guide Configuring OSPFv3
metric and route type of the default route that is manually introduced.
Working Principle
Authentication
OSPFv3 uses the authentication mechanism, that is, IP authentication header (AH) and IP Encapsulating Security Payload
(ESP), provided by IPv6 to prevent unauthorized routers that access the network and hosts that forge OSPF packets to
participate in OSPF routing. OSPF packets received on the OSPF interface (or at both ends of a virtual link) are
authenticated. If authentication fails, the packets are discarded and the adjacency cannot be set up.
Enabling authentication can avoid learning unauthenticated or invalid routes, thus preventing advertising valid routes to
unauthenticated devices. In the broadcast-type network, authentication also prevents unauthenticated devices from
becoming designated devices, ensuring stability of the routing system and protecting the routing system against intrusions.
MTU Verification
On receiving a DD packet, OSPF checks whether the MTU of the neighbor interface is the same as the MTU of the local
interface. If the MTU of the interface specified in the received DD packet is greater than the MTU of the interface that
receives the packet, the adjacency cannot be set up. Disabling MTU verification can avoid this problem.
Two-Way Maintenance
OSPF routers periodically send Hello packets to each other to maintain the adjacency. On a large network, a lot of packets
may be sent or received, occupying too much CPU and memory. As a result, some packets are delayed or discarded. If the
processing time of Hello packets exceeds the dead interval, the adjacency will be destroyed.
If the two-way maintenance function is enabled, in addition to the Hello packets, the DD, LSU, LSR, and LSAck packets can
also be used to maintain the bidirectional communication between neighbors, which makes the adjacency more stable.
When a router simultaneously exchanges data with multiple neighbors, its performance may be affected. If the maximum
number of neighbors that concurrently initiate or accept interaction with the OSPF process, the router can interact with
neighbors by batches, which ensures data forwarding and other key services.
GR
The control and forwarding separated technology is widely used among routers. On a relatively stable network topology,
when a GR-enabled router is restarted on the control plane, data forwarding can continue on the forwarding plane. In
Configuration Guide Configuring OSPFv3
addition, actions (such as adjacency re-forming and route computation) performed on the control plane do not affect
functions of the forwarding plane. In this way, service interruption caused by route flapping can be avoided, thus enhancing
reliability of the entire network.
Currently, the GR function is used only during active/standby switchover and system upgrade.
The GR process requires collaboration between the restarter and the helper. The restarter is the router where GR
occurs. The helper is a neighbor of the restarter.
When entering or exiting the GR process, the restarter sends a Grace-LSA to the neighbor, notifying the neighbor to
enter or exit the helper state.
When the adjacency between the restarter and the helper reaches the Full state, the router can exit the GR process
successfully.
Fast Hello
After a link fault occurs, it takes a period of time (about 40s) before OSPF can sense the death of the neighbor. Then, OSPF
advertises the information and re-computes the SPT. During this period, traffic is interrupted.
After the fast Hello function is enabled (that is, the neighbor dead interval is set to 1s), OSPF can sense the death of a
neighbor within 1s once a link is faulty. This greatly accelerates route convergence and prevents traffic interruption.
Related Configuration
Run the area authentication command to enable authentication in the entire area so that the authentication function
takes effect on all interfaces in this area. If authentication is enabled in area 0, the function also takes effect on the
virtual link.
Run the area encryption command to enable encryption and authentication in the entire area so that the
encryptionand authentication functions take effect on all interfaces in this area. If encryptionand authentication are
enabled in area 0, the functions also take effect on the virtual link.
Run the ipv6 ospf authentication command to enable authentication on an interface. This configuration takes
precedence over the area-based configuration.
Run the ipv6 ospf encryption command to enable encryptionand authentication on an interface. This configuration
takes precedence over the area-based configuration.
Use the authentication parameter in the area virtual-link command to enable authentication at both ends of a virtual
link. This configuration takes precedence over the area-based configuration.
Use the encryption parameter in the area virtual-link command to enable encryptionand authentication at both ends
of a virtual link. This configuration takes precedence over the area-based configuration.
MTU Verification
Run the ipv6 ospf mtu-ignore command to disable MTU verification on an interface.
Two-Way Maintenance
Run the max-concurrent-dd command to modify the maximum number of neighbors that are concurrently interacting with
the current OSPF process. The default value is 5.
Run the ipv6 router ospf max-concurrent-dd command to modify the maximum number of neighbors that are concurrently
interacting with all OSPF processes on the router. The default value is 10.
GR
By default, the restarter function is disabled, and the helper function is enabled.
Fast Hello
Run the ipv6 ospf dead-interval minimal hello-multiplier command to enable the Fast Hello function on an interface, that
is, the neighbor dead interval is 1s.
Working Principle
MIB
MIB is the device status information set maintained by a device. You can use the management program to view and set the
MIB node.
Multiple OSPF processes can be simultaneously started on a router, but the OSPF MIB can be bound with only one OSPF
process.
Trap
A trap message is a notification generated when the system detects a fault. This message contains the related fault
information.
If the trap function is enabled, the router can proactively send the trap messages to the network management device.
Syslog
The Syslog records the operations (such as command configuration) performed by users on routers and specific events
(such as network connection failures).
If the syslog is allowed to record the adjacency changes, the network administrator can view the logs to learn the entire
process that the OSPF adjacency is set up and maintained.
Related Configuration
MIB
By default, the MIB is bound with the OSPF process with the smallest process ID.
Run the enable mib-binding command to bind the MIB with the current OSPF process.
Trap
By default, all traps functions are disabled, and the device is not allowed to send OSPF traps.
Run the snmp-server enable traps ospf command to allow the device to send OSPF traps.
Run the enable traps command to enable a specified trap function for an OSPF process.
Syslog
Run the log-adj-changes command to allow the Syslog to record the adjacency changes.
Configuration Guide Configuring OSPFv3
7.4 Configuration
(Optional) The configurations are mandatory if the physical network is the X.25, frame
relay, or ATM network.
Setting the Network
ipv6 ospf network Defines the network type.
Type
ipv6 ospf neighbor Specifies a neighbor.
ipv6 ospf priority Configures the DR priority.
(Optional) It is used to reduce interaction of routing information and the size of routing
Configuring the Stub
table, and enhance stability of routes.
Area
areastub Configures a stub area.
(Optional) It is used to reduce interaction of routing information and the size of routing
table, and enhance stability of routes.
Configuring Route Summarizes routes that are advertised
arearange
Summarization between areas.
Summarizes routes that are introduced
summary-prefix
through redistribution.
(Optional) It is used to manually control the shortest route computed by OSPF and
determine whether to select an OSPF route preferentially.
Modifying the Route Modifies the reference bandwidth of the
auto-costreference-bandwidth
Cost and AD auto cost.
Modifies the cost in the outbound
ipv6 ospf cost
direction of an interface.
Configuration Guide Configuring OSPFv3
(Optional) It is used to prevent routers that illegally access the network and hosts that
forge OSPF packets from participating in the OSPF protocol process.
Enables authentication and sets the
areaauthentication
authentication mode in an area.
Enables encryption and authentication
areaencryption and sets the authentication mode in an
Enabling Authentication
area.
Enables authentication and sets the
ipv6 ospf authentication
authentication mode on an interface.
Enables encryption and authentication
ipv6 ospf encryption and sets the authentication mode on an
interface.
(Optional) It is used to prevent the problem that the adjacency cannot be set up due to
Disabling MTU
MTU inconsistency on the neighbor interface.
Verification
ipv6 ospf mtu-ignore Disables MTU verification on an interface.
(Optional) It is used to prevent termination of the adjacency due to the delay or loss of
Enabling Two-Way
Hello packets.
Maintenance
two-way-maintain Enables two-way maintenance.
(Optional) You are advised not to modify protocol control parameters unless
necessary.
ipv6 ospf hello-interval Modifies the Hello interval on an interface.
Modifies the neighbor death interval on an
ipv6 ospf dead-interval
interface.
Modifies the LSU packet transmission
ipv6 ospf transmit-delay
delay on an interface.
Modifies the LSU packet retransmission
ipv6 ospf retransmit-interval
interval on an interface.
Modifies parameters of the exponential
Modifying Protocol timers throttle lsa all
backoff algorithm that generates LSAs.
Control Parameters
timerspacinglsa-group Modifies the LSA group update interval.
Modifies the LS-UPD packet sending
timers pacing lsa-transmit
interval.
Modifies the delay after which the same
timers lsa arrival
LSA is received.
timers throttlespf Modifies the SPT computation timer.
Modifies the inter-area route computation
timers throttle route inter-area
delay.
Modifies the inter-area route computation
timers throttle route ase
delay.
Set up an OSPF routing domain on the network to provide IPv6 unicast routing service for users on the network.
Notes
Ensure that the IPv6 routing function is enabled, that is, ipv6 routing is not disabled; otherwise, OSPF cannot be
enabled.
Configuration Steps
Mandatory.
Configuring a Router ID
(Optional) It is strongly recommended that you manually configure the router ID.
If the router ID is not configured, OSPF selects an interface IP address. If the IP address is not configured for any
interface, or the configured IP addresses have been used by other OSPF instances, you must manually configure the
router ID.
Mandatory.
Verification
Run the show ipv6 route ospf command to verify that the entries of the OSPF routing table are correctly loaded.
Run the ping command to verify that the IPv6 unicast service is correctly configured.
Related Commands
Configuring a Router ID
Command router-idrouter-id
Parameter router-id: Indicates the ID of the device, which is expressed in the IPv4 address.
Description
Command OSPF routing process configuration mode
Mode
Usage Guide Every device where OSPFv3 run must be identified by using a router ID. You can configure any IPv4
address as the router ID of the device, and ensure that the router ID is unique in an AS. If multiple
OSPFv3 processes run on the same device, the router ID of each process must also be unique.
After the router ID changes, OSPF performs a lot of internal processing. Therefore, you are advised
Configuration Guide Configuring OSPFv3
not to change the router ID unless necessary. When an attempt is made to modify the router ID, a
prompt is displayed, requesting you to confirm the modification. After the OSPFv3 process is enabled,
you are advised to specify the router ID before configuring other parameters of the process.
ranges from 0 to 255. A virtual link cannot be set up between devices with different instance IDs.
spi: Indicates the security parameter index (SPI). The value ranges from 256 to 4,294,967,295.
md5: Enables message digit 5 (MD5) authentication.
sha1: Enables Secure Hash Algorithm 1 (SHA1) authentication.
0: Indicates that the key is displayed in plain text.
7: Indicates that the key is displayed in cipher text.
key: Indicates the authentication key.
null: Indicates that no encryption mode is used.
des: Specifies the DES encryption mode.
3des: Specifies the 3DES encryption mode.
des-key: Indicates the encryption key.
Command OSPF routing process configuration mode
Mode
Usage Guide In an OSPFv3 AS, all areas must be connected to the backbone area to properly learn the routing
information of the entire OSPFv3 AS. If an area cannot be directly connected to the backbone area,
the virtual link can be used to connect this area to the backbone area.
The area where the virtual link is located cannot be a stub or NSSA area.
At both ends of neighbors between which the virtual link is set up, settings of hello-interval,
dead-interval, and instance must be consistent; otherwise, the adjacency cannot be set up properly.
Configuration Example
Scenario
Figure 7-7
Verification Verify that the OSPF neighbors are correct on all routers.
Verify that the routing table is correctly loaded on all routers.
Verify that 2001:2::2/64 can be pinged successfully on Router D.
A A#show ipv6 ospf neighbor
OSPFv3 Process (1), 1 Neighbors, 1 is Full:
Neighbor ID Pri State Dead Time Instance ID Interface
2.2.2.2 1 Full/BDR 00:00:30 0 GigabitEthernet 0/1
3.3.3.31 Full/BDR 00:00:35 0 GigabitEthernet 0/2
The 29 series switch does not support ISIS or BGP. The configuration example is only for reference.
Common Errors
OSPF cannot be enabled because the IPv6 unicast routing function is disabled.
If the physical network is X.25, Frame Relay, or ATM, OSPF can also run to provide the IPv6 unicast routing service.
Notes
The broadcast network sends multicast OSPF packets, automatically discovers neighbors, and elects a DR and a BDR.
The P2P network sends multicast OSPF packets and automatically discovers neighbors.
The NBMA network sends unicast OSPF packets. Neighbors must be manually specified, and a DR and a BDR must be
elected.
The P2MP network (without carrying the non-broadcast parameter) sends multicast OSPF packets. Neighbors are
automatically discovered.
The P2MP network (carrying the non-broadcast parameter) sends unicast OSPF packets. Neighbors must be
manually specified.
Configuration Steps
Optional.
Configuring a Neighbor
(Optional)If the interface network type is set to NBMA or P2MP (carrying the non-broadcast parameter), neighbors
must be configured.
Neighbors are configured on routers at both ends of the NBMA or P2MP (carrying the non-broadcast parameter)
network.
(Optional)You must configure the interface priority if a router must be specified as a DR, or a router cannot be specified
as a DR.
Configure the interface priority on a router that must be specified as a DR, or cannot be specified as a DR.
Verification
Configuration Guide Configuring OSPFv3
Run the show ipv6 ospf interface command to verify that the network type of each interface is correct.
Related Commands
Configuring a Neighbor
Usage Guide On a broadcast network, a DR or BDR must be elected. During the DR/BDR election, the device with a
higher priority will be preferentially elected as a DR or BDR. If the priority is the same, the device with a
larger router ID will be preferentially elected as a DR or BDR.
A device with the priority 0 does not participate in the DR/BDR election.
Configuration Example
Scenario
Figure 7-8
Common Errors
The network types configured on interfaces at two ends are inconsistent, causing abnormal route learning.
The network type is set to NBMA or P2MP (non-broadcast), but neighbors are not specified.
Introduce unicast routes for other AS domains to the OSPF domain to provide the unicast routing service to other AS
domains for users in the OSPF domain.
In the OSPF domain, inject a default route to another AS domain so that the unicast routing service to another AS
domain can be provided for users in the OSPF domain.
Notes
Configuration Steps
(Optional)This configuration is mandatory if external routes of the OSPF domain should be introduced to the ASBR.
(Optional)Perform this configuration if the default route should be introduced to an ASBR so that other routers in the
OSPF domain access other AS domains through this ASBR by default.
Verification
On a router inside the OSPF domain, run the show ipv6 route ospf command to verify that the unicast routes to other
AS domains are loaded.
On a router inside the OSPF domain, run the show ipv6 route ospf command to verify that the default route to the
ASBR is loaded.
Run the ping command to verify that the IPv6 unicast service to other AS domains is correct.
Related Commands
During configuration of route redistribution, the matchrules configured in route map configuration mode
areused based on the original information of routes. The priorities of tag, metric and metric-type in the
route redistribution configuration are lower than the priority of theset rulesconfigured in route map
configuration mode.
The set metric value of the associated routemap should fall into the range of 0 to 16,777,214. If the value
exceeds this range, routes cannot be introduced.
The configuration rules for the no form of the redistribute command are as follows:
Configuration Guide Configuring OSPFv3
1. If some parameters are specified in the no form of the command, default values of these parameters will
be restored.
2. If no parameter is specified in the no form of the command, the entire command will be deleted.
Configuration Example
Scenario
Figure 7-9
The 29 series switch does not support ISIS or BGP. The configuration example is only for reference.
Scenario
Figure 7-10
The 29 series switch does not support ISIS or BGP. The configuration example is only for reference.
Common Errors
A route loop is formed because the default-information originate always command is configured on multiple routers.
Routes cannot be introduced because route redistribution is configured on a router in the stub area.
Configure an area located on the stub as a stub area to reduce interaction of routing information and the size of routing
table, and enhance stability of routes.
Notes
Configuration Steps
(Optional) Perform this configuration if you wish to reduce the size of the routing table on routers in the area.
Verification
On a router in the stub area, run the show ipv6 route command to verify that the router is not loaded with any external
routes.
Related Commands
Configuration Example
Scenario
Figure 7-11
Verification On Router C, run the show ipv6 route ospf command to display the routing table. Verify that there is
only one default inter-area route, and no external static route is introduced from Router D.
C C#show ipv6 route ospf
The 29 series switch does not support ISIS or BGP. The configuration example is only for reference.
Common Errors
Configurations of the area type are inconsistent on routers in the same area.
Configuration Guide Configuring OSPFv3
External routes cannot be introduced because route redistribution is configured on a router in the stub area.
Summarize routes to reduce interaction of routing information and the size of routing table, and enhance stability of
routes.
Notes
The address range of the summarize route may exceed the actual network range in the routing table. If data is sent to a
network beyond the summarization range, a routing loop may be formed and the router processing load may increase.
To prevent these problems, a discard route must be added to the routing table or shield or filter routes.
Configuration Steps
(Optional) Perform this configuration when routes of the OSPF area need to be summarized.
Unless otherwise required, perform this configuration on an ABR in the area where routes to be summarized are
located.
(Optional) Perform this configuration when routes external to the OSPF domain need to be summarized.
Unless otherwise required, perform this configuration on an ASBR, to which routes that need to be summarized are
introduced.
Verification
Run the show ipv6 route ospf command to verify that individual routes do not exist and only the summarized route
exists.
Related Commands
Mode
Usage Guide This command takes effect only on an ABR, and is used to summarize multiple routes in an area into a route
and advertise this route to other areas. Combination of the routing information occurs only on the boundary
of an area. Routers inside the area can learn specific routing information, whereas routers in other areas can
learn only one summarized route. In addition, you can set advertise or not-advertise to determine whether
to advertise the summarized route to shield and filter routes. By default, the summarized route is advertised.
You can use the cost parameter to set the metric of the summarized route.
You can configure route summarization commands for multiple areas. This simplifies routes in the entire
OSPF routing domain, and improves the network forwarding performance, especially for a large-sized
network.
When multiple route summarization commands are configured and have the inclusive relationship with each
other, the area range to be summarized is determined based on the maximum match principle.
Configuration Example
Configuration Guide Configuring OSPFv3
Configuration
Steps
Figure 7-12
Common Errors
Inter-area route summarization cannot be implemented because the area range command is configured on a non-ABR
device.
Configuration Guide Configuring OSPFv3
Routes that do not meet filtering conditions cannot be loaded to the routing table, or advertised to neighbors. Network
users cannot access specified destination network.
Notes
Filtering routes by using the distribute-list in command affects forwarding of local routes, but does not affect route
computation based on LSAs. Therefore, if route filtering is configured on the ABR, Type 3 LSAs will still be generated
and advertised to other areas because routes can still be computed based on LSAs. As a result, black-hole routes are
generated. In this case, you can run the area filter-list or area range (containing the not-advertise parameter)
command on the ABR to prevent generation of black-hole routes.
Configuration Steps
(Optional) This configuration is recommended if users need to be restricted from accessing the network in a certain
OSPF area.
Unless otherwise required, perform this configuration on an ABR in the area where filtered routes are located.
(Optional) Perform this configuration if external routes introduced by the ASBR need to be filtered.
Unless otherwise required, perform this configurationon an ASBR to which filtered routes are introduced.
(Optional) Perform this configuration if users need to be restricted from accessing a specified destination network.
Unless otherwise required, perform this configurationon a router that requires route filtering.
Verification
Run the show ipv6 route command to verify that the router is not loaded with routes that have been filtered out.
Run the ping command to verify that the specified destination network cannot be accessed.
Related Commands
Mode
Usage Guide When an interface is configured as a passive interface, it no longer sends or receives Hello packets.
This command takes effect only on an OSPFv3-enabled interface, and not on a virtual link.
Configuration Example
Configuration Guide Configuring OSPFv3
Scenario
Figure 7-13
The 29 series switch does not support ISIS or BGP. The configuration example is only for reference.
Common Errors
Filtering routes by using the distribute-list in command affects forwarding of local routes, but does not affect route
computation based on LSAs. Therefore, if route filtering is configured on the ABR, Type 3 LSAs will still be generated
and advertised to other areas because routes can still be computed based on LSAs. As a result, black-hole routes are
generated.
Configuration Guide Configuring OSPFv3
Change the OSPF routes so that the traffic passes through specified nodes or bypasses specified nodes.
Change the sequence that a router selects routes so as to change the priorities of OSPF routes.
Notes
If you run the ipv6 ospf cost command to configure the cost of an interface, the configured cost will automatically
overwrite the cost that is computed based on the auto cost.
Configuration Steps
Optional.
A router is connected with lines with different bandwidths. This configuration is recommended if you wish to
preferentially select the line with a larger bandwidth.
Optional.
A router is connected with multiple lines. This configuration is recommended if you wish to manually specify a
preferential line.
Optional.
This configuration is mandatory if the cost of external routes of the OSPF domain should be specified when external
routes are introduced to an ASBR.
Optional.
A router may be unstable during the restart process or a period of time after the router is restarted, and users do not
want to forward data through this router. In this case, this configuration is recommended.
Configuring the AD
Optional.
Perform this configuration if you wish to change the priorities of OSPF routes on a router that runs multiple unicast
routing protocols.
Verification
Configuration Guide Configuring OSPFv3
Run the show ipv6 ospf interface command to verify that the costs of interfaces are correct.
Run the show ipv6 route command to verify that the costs of external routes introduced by the ASBR are correct.
Restart the router. Within a specified period of time, data is not forwarded through the restarted router.
Related Commands
Configuring the AD
Configuration Example
Scenario
Figure 7-14
A A#configure terminal
A(config)#interface GigabitEthernet 0/1
A(config-if-GigabitEthernet 0/1)#ipv6 ospf cost 10
A(config)#interface GigabitEthernet 0/2
A(config-if-GigabitEthernet 0/2)#ipv6 ospf cost 20
Verification On Router A, check the routing table. The next hop of the optimum path to 2001:16:1::/64 is Router B.
A A#show ipv6 route ospf
The 29 series switch does not support ISIS or BGP. The configuration example is only for reference.
Common Errors
If the cost of an interface is set to 0 in the ipv6 ospf cost command, a route computation error may occur. For example,
a routing loop is obtained.
All routers connected to the OSPF network must be authenticated to ensure stability of OSPF and protect OSPF
against intrusions.
Notes
If authentication is configured for an area, the configuration takes effect on all interfaces that belong to this area.
If authentication is configured for both an interface and the area to which the interface belongs, the configuration for the
interface takes effect preferentially.
Configuration Steps
Configuring Authentication
Optional.
Configuring Encryption
Optional.
Optional.
Optional.
Verification
If routers are configured with different authentication keys, run the show ipv6 ospf neighbor command to verify that
there is no OSPF neighbor.
If routers are configured with the same authentication key, run the show ipv6 ospf neighbor command to verify that
there are OSPF neighbors.
Related Commands
Command areaarea-idencryption ipsec spispi esp[ null|[ des | 3des ][ 0 | 7 ] des-key][md5|sha1] [0|7] key
Parameter area-id: Indicates the area ID.The value can be an integer or an IPv4 prefix.
Description spi: Indicates the SPI. The value ranges from 256 to 4,294,967,295.
null: Indicates that no encryption mode is used.
des: Indicates that the Data Encryption Standard (DES) mode is used.
3des: Indicates that the Triple DES (3DES) mode is used.
des-key: Indicates the encryption key.
md5: Enables MD5 authentication.
sha1: Enables SHA1 authentication.
0: Indicates that the key is displayed in plain text.
7: Indicates that the key is displayed in cipher text.
key: Indicates the authentication key.
Command OSPF routing process configuration mode
Mode
Usage Guide The RGOS supports two encryption modes and two authentication modes.
The two encryption modes are as follows:
DES
3DES
The two authentication modes are as follows:
MD5
SHA1
Configuration of area-based encryption and authentication for OSPFv3 takes effect on all interfaces (except
virtual links) in the area, but the interface-based encryption and authentication configuration takes
precedence over the area-based configuration.
SHA1 authentication
OSPFv3 authentication parameters configured on interconnected interfaces must be consistent.
Command ipv6 ospfencryption ipsec spispi esp[ null|[ des | 3des ][ 0 | 7 ] des-key][md5|sha1] [0|7]
key[instanceinstance-id]
Parameter spi: Indicates the SPI. The value ranges from 256 to 4,294,967,295.
Description null: Indicates that no encryption mode is used.
des: Indicates that the DES mode is used.
3des: Indicates that the3DES mode is used.
des-key: Indicates the encryption key.
md5: Enables MD5 authentication.
sha1: Enables SHA1 authentication.
0: Indicates that the key is displayed in plain text.
7: Indicates that the key is displayed in cipher text.
key: Indicates the authentication key.
instance instance-id: Indicates the ID of a specified OSPFv3 process of the interface. The value ranges
from 0 to 255.
Command OSPF routing process configuration mode
Mode
Usage Guide The RGOS supports two encryption modes and two authentication modes.
The two encryption modes are as follows:
DES
3DES
The two authentication modes are as follows:
MD5
SHA1
OSPFv3 encryption and authentication parameters configured on the local interface must be consistent with
those configured on the interconnected interfaces.
Configuration Example
Scenario
Figure 7-15
A A#configure terminal
A(config)#interface GigabitEthernet 0/1
A(config-if-GigabitEthernet 0/1)#ipv6 ospf authentication ipsec spi 256 md5
01234567890123456789012345678912
B B# configure terminal
B(config)#interface GigabitEthernet 0/3
B(config-if-GigabitEthernet 0/3)#ipv6 ospf authentication ipsec spi 256 md5
01234567890123456789012345678912
Verification On Router A and Router B, verify that the OSPF neighbor status is correct.
A A# show ipv6 ospf neighbor
OSPFv3 Process (1), 1 Neighbors, 1 is Full:
Neighbor ID Pri State Dead Time Instance ID Interface
2.2.2.2 1 Full/DR 00:00:38 0 GigabitEthernet 0/1
B B# show ipv6 ospf neighbor
OSPFv3 Process (1), 1 Neighbors, 1 is Full:
Neighbor ID Pri State Dead Time Instance ID Interface
1.1.1.1 1 Full/BDR 00:00:38 0 GigabitEthernet 0/1
Common Errors
Control the maximum number of concurrent neighbors on the OSPF process to ease the pressure on the device.
Notes
Configuration Steps
(Optional) This configuration is recommended if you wish to set up the OSPF adjacency more quickly when a router is
connected with a lot of other routers.
Verification
Run the show ipv6 ospf neighbor command to display the number of neighbors that are concurrently interacting with
the OSPF process.
Configuration Guide Configuring OSPFv3
Related Commands
Command max-concurrent-ddnumber
Parameter number: Specifies the maximum number of neighbors that are concurrently interacting with the OSPF
Description process. The value ranges from 1 to 65,535.
Command OSPF routing process configuration mode
Mode
Usage Guide When the performance of a router is affected because the router exchanges data with multiple neighbors,
you can configure this command to restrict the maximum of neighbors with which each OSPF process can
concurrently initiate or accept interaction.
Configuration Example
Scenario
Figure 7-16
Verification On the Router Core, check the neighbor status and verify that at most eight neighbors concurrently
interact with the OSPF process.
Common Errors
N/A
The unicast routing service can be provided even if the MTUs of interfaces on neighbor routers are different.
Notes
Configuration Steps
(Optional) MTU verification is disabled by default. You are advised to retain the default configuration.
Verification
Related Commands
Configuration Example
Configuration Guide Configuring OSPFv3
Scenario
Figure 7-17
Common Errors
N/A
Notes
Configuration Steps
(Optional) This function is enabled by default. You are advised to retain the default configuration.
Verification
Related Commands
Command two-way-maintain
Parameter N/A
Description
Command OSPF routing process configuration mode
Mode
Usage Guide On a large network, a lot of packets may be sent or received, occupying too much CPU and memory. As a
result, some packets are delayed or discarded. If the processing time of Hello packets exceeds the dead
interval, the adjacency will be destroyed due to timeout.If the two-way maintenance function is enabled, in
addition to the Hello packets, the DD, LSU, LSR, and LSAck packets can also be used to maintain the
bidirectional communication between neighbors when a large number of packets exist on the network. This
prevents termination of the adjacency caused by delayed or discarded Hello packets.
Configuration Example
Scenario
Figure 7-18
Common Errors
N/A
Configuration Guide Configuring OSPFv3
7.4.12 Enabling GR
Configuration Effect
When a distributed route switches services from the active board to the standby board, traffic forwarding continues and
is not interrupted.
When the OSPF process is being restarted, data forwarding continues and is not interrupted.
Notes
The grace period cannot be shorter than the neighbor dead time of the neighbor router.
Configuration Steps
(Optional) This function is enabled by default. You are advised to retain the default configuration.
Perform this configuration on routers where hot standby switchover is triggered or the OSPF process is restarted.
(Optional) This function is enabled by default. You are advised to retain the default configuration.
Perform this configuration on a router if hot standby switchover is triggered or the OSPF process is restarted on a
neighbor of this router.
Verification
When a distributed router switches services from the active board to the standby board, data forwarding continues and
the traffic is not interrupted.
When the OSPF process is being restarted, data forwarding continues and the traffic is not interrupted.
Related Commands
Usage Guide The GR function is configured based on the OSPF process. You can configure different parameters for
different OSPF processes based on the actual conditions. This command is used to configure the GR
restarter capability of a device. The grace period is the maximum time of the entire GR process, during
which link status is rebuilt so that the original state of the OSPF process is restored. After the grace period
expires, OSPF exits the GR state and performs common OSPF operations.
Run the graceful-restart command to set the grace period to 120s. The graceful-restart grace-period
command allows you to modify the grace period explicitly.
The precondition for successful execution of GR and uninterrupted forwarding is that the topology remains
stable. If the topology changes, OSPF quickly converges without waiting for further execution of GR, thus
avoiding long-time forwarding black-hole.
Disabling topology detection: If OSPF cannot converge in time when the topology changes during the
hot standby process, forwarding black-hole may appear in a long time.
Enabling topology detection: Forwarding may be interrupted when topology detection is enabled, but
the interruption time is far shorter than that when topology detection is disabled.
In most cases, it is recommended that topology detection be enabled. In special scenarios, topology
detection can be disabled if the topology changes after the hot standby process, but it can be ensured that
the forwarding black-hole will not appear in a long time. This can minimize the forwarding interruption time
during the hot standby process.
If the Fast Hello function is enabled, the GR function cannot be enabled.
recommended that you disable the LSA checking options (strict-lsa-checking and internal-lsa-checking)
because regional network changes may trigger termination of GR and consequently reduce the
convergence of the entire network.
Configuration Example
Scenario
Figure 7-19
Common Errors
Traffic forwarding is interrupted during the GR process because the configured grace period is shorter than the
neighbor dead time of the neighbor router.
Use the network management software to manage OSPF parameters and monitor the OSPF running status.
Notes
You must enable the trap function of the SNMP server before enabling the OSPF trap function.
You must enable the logging function of the device before outputting the OSPF logs.
Configuration Steps
(Optional) This configuration is required if you want to use the network management software to manage parameters of
a specified OSPF process.
(Optional) This configuration is required if you want to use the network management software to monitor the OSPF
running status.
(Optional) This function is enabled by default. You are advised to retain the default configuration. If you want to reduce
the log output, disable this function.
Verification
Use the network management software to monitor the OSPF running status.
Related Commands
Configuration Example
Scenario
Figure 7-20
A A# configure terminal
A(config)#snmp-server host 192.168.2.2 traps version 2c public
A(config)#snmp-server community public rw
A(config)#snmp-server enable traps
A(config)#
A(config)# ipv6 routerospf 10
A(config-router)# enable mib-binding
A(config-router)# enable traps
Verification Use the MIB tool to read and set the OSPF parameters and display the OSPF running status.
Common Errors
N/A
Notes
The neighbor dead time cannot be shorter than the Hello interval.
Configuration Steps
(Optional) You are advised to retain the default configuration. This configuration can be adjusted if you wish to
accelerate OSPF convergence when a link fails.
(Optional) You are advised to adjust this configuration if a lot of routes exist in the user environment and network
congestion is serious.
(Optional) You are advised to retain the default configuration. This configuration can be adjusted if a lot of routes exist in
the user environment.
Verification
Run the show ipv6 ospf and show ipv6 ospf neighbor commands to display the protocol running parameters and
status.
Related Commands
hold-time: Indicates the minimum interval between the first LSA update and the second LSA update. The
value ranges from 1 to 600,000. The unit is ms.
max-wait-time: Indicates the maximum interval between two LSA updates when the LSA is updated
continuously. This interval is also used to determine whether the LSA is updated continuously. The value
ranges from 1 to 600,000. The unit is ms.
Command OSPF routing process configuration mode
Mode
Usage Guide If a high convergence requirement is raised when a link changes, you can set delay-time to a smaller value.
You can also appropriately increase values of the preceding parameters to reduce the CPU usage.
When configuring this command, the value of hold-time cannot be smaller than the value of delay-time,
and the value of max-wait-time cannot be smaller than the value of hold-time.
Configuration Example
Scenario
Figure 7-21
Common Errors
The configured neighbor dead time is shorter than the Hello interval.
Configuration Guide Configuring OSPFv3
7.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears and resets an OSPF process. clear ipv6 ospf [ process-id]process
Displaying
Description Command
Displays the OSPF process show ipv6 ospf [ process-id ]
configurations.
Displays information about the OSPF show ipv6 ospf[process- id] database[lsa-type [adv-routerrouter-id] ]
LSDB.
Displays OSPF-enabled interfaces. show ipv6 ospf [ process-id ] interface [ interface-type interface-number | brief]
Displays the OSPF neighbor list. show ipv6 ospf[process- id] neighbor[interface-type interface-number[detail]|
neighbor-id |detail]
Displays the OSPF routing table. show ipv6 ospf [ process-id ] route[ count ]
Displays the summarized route of showipv6ospf[process-id]summary-prefix
OSPF redistributed routes.
Displays the OSPF network topology show ipv6 ospf[process- id] topology [areaarea-id]
information.
Displays OSPF virtual links. show ipv6 ospf [ process-id ] virtual-links
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs OSPF events. debug ipv6 ospf events [abr|asbr|os|nssa|router| vlink]
Debugs OSPF interfaces. debug ipv6 ospf ifsm [events|status|timers]
Debugs OSPF neighbors. debug ipv6 ospf nfsm [events | status | timers]
Debugs the OSPF NSM. debug ipv6 ospf nsm [interface | redistribute | route]
Debugs OSPF LSAs. debug ipv6 ospf lsa [flooding | generate | install | maxage | refresh]
Debugs OSPF packets. debug ipv6 ospf packet [dd|detail|hello|ls-ack|ls-request|ls-update|recv|send]
Debugs OSPF routes. debug ipv6 ospf route [ase | ia | install | spf | time]
Security Configuration
1. Configuring AAA
2. Configuring RADIUS
3. Configuring TACACS+
4. Configuring 802.1X
5. Configuring SCC
1 Configuring AAA
1.1 Overview
Authentication, authorization, and accounting (AAA) provides a unified framework for configuring the authentication,
authorization, and accounting services. Ruijie Networks devices support the AAA application.
Authentication: Refers to the verification of user identities for network access and network services. Authentication is
classified into local authentication and authentication through Remote Authentication Dial In User Service (RADIUS) and
Terminal Access Controller Access Control System+ (TACACS+).
Authorization: Refers to the granting of specific network services to users according to a series of defined attribute-value (AV)
pairs. The pairs describe what operations users are authorized to perform. AV pairs are stored on network access servers
(NASs) or remote authentication servers.
Accounting: Refers to the tracking of the resource consumption of users. When accounting is enabled, NASs collect statistics
on the network resource usage of users and send them in AV pairs to authentication servers. The records will be stored on
authentication servers, and can be read and analyzed by dedicated software to realize the accounting, statistics, and tracking
of network resource usage.
AAA is the most fundamental method of access control. Ruijie Networks also provides other simple access control functions,
such as local username authentication and online password authentication. Compared to them, AAA offers higher level of
network security.
Scalability
Standards-compliant authentication
1.2 Applications
Application Description
Configuring AAA in a Single-Domain AAA is performed for all the users in one domain.
Environment
Configuring AAA in a Multi-Domain AAA is performed for the users in different domains by using different methods.
Environment
1-1
Configuration Guide Configuring AAA
In the network scenario shown in Figure 1-1, the following application requirements must be satisfied to improve the security
management on the NAS:
1. To facilitate account management and avoid information disclosure, each administrator has an individual account with
different username and password.
2. Users must pass identity authentication before accessing the NAS. The authentication can be in local or centralized
mode. It is recommended to combine the two modes, with centralized mode as active and local mode as standby. As a
result, users must undergo authentication by the RADIUS server first. If the RADIUS server does not respond, it turns to
local authentication.
3. During the authentication process, users can be classified and limited to access different NASs.
4. Permission management: Users managed are classified into Super User and Common User. Super users have the
rights to view and configure the NAS, and common users are only able to view NAS configuration.
5. The AAA records of users are stored on servers and can be viewed and referenced for auditing. (The TACACS+ server
in this example performs the accounting.)
Figure 1-1
Remarks User A, User B, and User C are connected to the NAS in wired or wireless way.
The NAS is an access or convergence switch.
The RADIUS server can be the Windows 2000/2003 Server (IAS), UNIX system component, and dedicated
server software provided by a vendor.
The TACACS+ server can be the dedicated server software provided by a vendor.
Deployment
1-2
Configuration Guide Configuring AAA
A user can log in by entering the username PC1@ruijie.net or PC2@ruijie.com.cn and correct password on an 802.1X
client.
Permission management: Users managed are classified into Super User and Common User. Super users have the
rights to view and configure the NAS, and common users are only able to view NAS configuration.
The AAA records of users are stored on servers and can be viewed and referenced for auditing.
Figure 1-2
Remarks The clients with the usernames PC1@ruijie.net and PC2@ruijie.com.cn are connected to the NAS in wired or
wireless way.
The NAS is an access or convergence switch.
The Security Accounts Manager (SAM) server is a universal RADIUS server provided by Ruijie Networks.
Deployment
1.3 Features
Basic Concepts
1-3
Configuration Guide Configuring AAA
Local authentication is the process where the entered passwords are verified by the database on the NAS.
Remote server authentication is the process where the entered passwords are checked by the database on a remote server.
It is mainly implemented by the RADIUS server and TACACS+ server.
Method List
AAA is implemented using different security methods. A method list defines a method implementation sequence. The method
list can contain one or more security protocols so that a standby method can take over the AAA service when the first method
fails. On Ruijie devices, the first method in the list is tried in the beginning and then the next is tried one by one if the previous
gives no response. This method selection process continues until a security method responds or all the security methods in
the list are tried out. Authentication fails if no method in the list responds.
A method list contains a series of security methods that will be queried in sequence to verify user identities. It allows you to
define one or more security protocols used for authentication, so that the standby authentication method takes over services
when the active security method fails. On Ruijie devices, the first method in the list is tried in the beginning and then the next
is tried one by one if the previous gives no response. This method selection process continues until a method responds or all
the methods in the method list are tried out. Authentication fails if no method in the list responds.
The next authentication method proceeds on Ruijie devices only when the current method does not respond. When a
method denies user access, the authentication process ends without trying other methods.
Figure 1-3
Figure 1-3 shows a typical AAA network topology, where two RADIUS servers (R1 and R2) and one NAS are deployed. The
NAS can be the client for the RADIUS servers.
Assume that the system administrator defines a method list, where the NAS selects R1 and R2 in sequence to obtain user
identity information and then accesses the local username database on the server. For example, when a remote PC user
initiates dial-up access, the NAS first queries the user's identity on R1. When the authentication on R1 is completed, R1
returns an Accept response to the NAS. Then the user is permitted to access the Internet. If R1 returns a Reject response,
the user is denied Internet access and the connection is terminated. If R1 does not respond, the NAS considers that the R1
method times out and continues to query the user's identity on R2. This process continues as the NAS keeps trying the
remaining authentication methods, until the user request is authenticated, rejected, or terminated. If all the authentication
methods are responded with Timeout, authentication fails and the connection will be terminated.
The Reject response is different from the Timeout response. The Reject response indicates that the user does not meet
the criteria of the available authentication database and therefore fails in authentication, and the Internet access
request is denied. The Timeout response indicates that the authentication server fails to respond to the identity query.
1-4
Configuration Guide Configuring AAA
When detecting a timeout event, the AAA service proceeds to the next method in the list to continue the authentication
process.
This document describes how to configure AAA on the RADIUS server. For details about the configuration on the
TACACS+ server, see the Configuring TACACS+.
You can define an AAA server group to include one or more servers of the same type. If the server group is referenced by a
method list, the NAS preferentially sends requests to the servers in the referenced server group when the method list is used
to implement AAA.
Overview
Feature Description
AAA Authentication Verifies whether users can access the Internet.
AAA Authorization Determines what services or permissions users can enjoy.
AAA Accounting Records the network resource usage of users.
Multi-Domain AAA Creates domain-specific AAA schemes for 802.1X stations (STAs) in different domains.
To configure AAA authentication, you need to first configure an authentication method list. Applications perform
authentication according to the method list. The method list defines the types of authentication and the sequence in
which they are performed. Authentication methods are implemented by specified applications. The only exception is the
default method list. All applications use the default method list if no method list is configured.
No authentication (none)
The identity of trusted users is not checked. Normally, the no-authentication (None) method is not used.
Authentication is performed on the NAS, which is configured with user information (including usernames, passwords, and AV
pairs). Before local authentication is enabled, run the username password/secret command to create a local user
database.
Authentication is performed jointly by the NAS and a remote server group through RADIUS or TACACS+. A server group
consists of one or more servers of the same type. User information is managed centrally on a remote server, thus realizing
multi-device centralized and unified authentication with high capacity and reliability. You can configure local authentication as
standby to avoid authentication failures when all the servers in the server group fail.
1-5
Configuration Guide Configuring AAA
Login authentication
Users log in to the command line interface (CLI) of the NAS for authentication through Secure Shell (SSH), Telnet, and File
Transfer Protocol (FTP).
Enable authentication
After users log in to the CLI of the NAS, the users must be authenticated before CLI permission update. This process is
called Enable authentication (in Privileged EXEC mode).
Dot1X (IEEE802.1X) authentication is performed for users that initiate dial-up access through IEEE802.1X.
Related Configuration
Enabling AAA
Before you configure an AAA authentication scheme, determine whether to use local authentication or remote server
authentication. If the latter is to be implemented, configure a RADIUS or TACACS+ server in advance. If local authentication
is selected, configure the local user database information on the NAS.
Determine the access mode to be configured in advance. Then configure authentication methods according to the access
mode.
1-6
Configuration Guide Configuring AAA
Direct authorization is intended for highly trusted users, who are assigned with the default permissions specified by the NAS.
Local authorization is performed on the NAS, which authorizes users according to the AV pairs configured for local users.
Authorization is performed jointly by the NAS and a remote server group. You can configure local or direct authorization as
standby to avoid authorization failures when all the servers in the server group fail.
EXEC authorization
After users log in to the CLI of the NAS, the users are assigned with permission levels (0 to 15).
Config-commands authorization
Users are assigned with the permissions to run specific commands in configuration modes (including the global configuration
mode and sub-modes).
Console authorization
After users log in through consoles, the users are authorized to run commands.
Command authorization
Authorize users with commands after login to the CLI of the NAS.
Network authorization
After users access the Internet, the users are authorized to use the specific session services. For example, after users
access the Internet through PPP and Serial Line Internet Protocol (SLIP), the users are authorized to use the data service,
bandwidth, and timeout service.
Related Configuration
Enabling AAA
Before you configure an AAA authorization scheme, determine whether to use local authorization or remote server-group
authorization. If remote server-group authorization needs to be implemented, configure a RADIUS or TACACS+ server in
advance. If local authorization needs to be implemented, configure the local user database information on the NAS.
1-7
Configuration Guide Configuring AAA
Determine the access mode to be configured in advance. Then configure authorization methods according to the access
mode.
No accounting (none)
Accounting is completed on the NAS, which collects statistics on and limits the number of local user connections. Billing is
not performed.
Accounting is performed jointly by the NAS and a remote server group. You can configure local accounting as standby to
avoid accounting failures when all the servers in the server group fail.
EXEC accounting
Accounting is performed when users log in to and out of the CLI of the NAS.
Command accounting
Records are kept on the commands that users run on the CLI of the NAS.
Network accounting
Records are kept on the sessions that users set up after completing 802.1X and Web authentication to access the Internet.
Related Configuration
Enabling AAA
1-8
Configuration Guide Configuring AAA
Before you configure an AAA accounting scheme, determine whether to use local accounting or remote server-group
accounting. If remote server-group accounting needs to be implemented, configure a RADIUS or TACACS+ server in
advance. If local accounting needs to be implemented, configure the local user database information on the NAS.
Determine the access mode to be configured in advance. Then configure accounting methods according to the access mode.
1. userid@domain-name
2. domain-name\userid
3. userid.domain-name
4. userid
The fourth format (userid) does not contain a domain name, and it is considered to use the default domain name.
The NAS provides the domain-based AAA service based on the following principles:
Searches for the corresponding AAA method list name according to the domain configuration information on the NAS.
Searches for the corresponding method list according to the method list name.
If any of the preceding procedures fails, the AAA services cannot be provided.
Figure 1-4
Related Configuration
1-9
Configuration Guide Configuring AAA
Enabling AAA
For details, see section 5.2.1, section 5.2.2, and section 5.2.3.
To enable the domain-based AAA service, run the aaa domain enable command.
Creating a Domain
A domain AV set contains the following elements: AAA method lists, the maximum number of online users, whether to
remove the domain name from the username, and whether the domain name takes effect.
1.4 Configuration
1-10
Configuration Guide Configuring AAA
1-11
Configuration Guide Configuring AAA
Notes
If an authentication scheme contains multiple authentication methods, these methods are executed according to the
configured sequence.
The next authentication method is executed only when the current method does not respond. If the current method fails,
the next method will be not tried.
When the none method is used, users can get access even when no authentication method gets response. Therefore,
the none method is used only as standby.
Normally, do not use None authentication. You can use the none method as the last optional authentication method in
special cases. For example, all the users who may request access are trusted users and the users' work must not be
delayed by system faults. Then you can use the none method to assign access permissions to these users when the
authentication server does not respond. It is recommended that the local authentication method be added before the
none method.
If AAA authentication is enabled but no authentication method is configured and the default authentication method does
not exist, users can directly log in to the Console without being authenticated. If users log in by other means, the users
must pass local authentication.
When a user enters the CLI after passing login authentication (the none method is not used), the username is recorded.
When the user performs Enable authentication, the user is not prompted to enter the username again, because the
username that the user entered during login authentication is automatically filled in. However, the user must enter the
password previously used for login authentication.
1-12
Configuration Guide Configuring AAA
The username is not recorded if the user does not perform login authentication when entering the CLI or the none
method is used during login authentication. Then, a user is required to enter the username each time when performing
Enable authentication.
Configuration Steps
Enabling AAA
Mandatory.
Run the aaa authentication login command to configure a method list of login authentication.
This configuration is mandatory if you need to configure a login authentication method list (including the configuration of
the default method list).
Run the aaa authentication enable command to configure a method list of Enable authentication.
This configuration is mandatory if you need to configure an Enable authentication method list. (You can configure only
the default method list.)
Run the aaa authentication dot1x command to configure a method list of 802.1X authentication.
This configuration is mandatory if you need to configure an 802.1X authentication method list (including the
configuration of the default method list).
Run the aaa authentication web-auth command to configure a method list of Web authentication.
This configuration is mandatory if you need to configure a Web authentication method list (including the configuration of
the default method list).
Optional.
1-13
Configuration Guide Configuring AAA
Optional.
By default, a user is locked for 15 minutes after entering wrong passwords three times.
Verification
Run the show aaa method-list command to display the configured method lists.
Run the show aaa lockout command to display the settings of the maximum number of login attempts and the
maximum lockout time after a login failure.
Run the show running-config command to display the authentication method lists associated with login authentication
and 802.1X authentication.
Related Commands
Enabling AAA
1-14
Configuration Guide Configuring AAA
1-15
Configuration Guide Configuring AAA
Configuration Example
Configure a login authentication method list on the NAS containing group radius and local methods in order.
Scenario
Figure 1-5
1-16
Configuration Guide Configuring AAA
Ruijie(config)#aaa new-model
Ruijie(config)#line vty 0 20
Ruijie(config-line)#exit
Verification Run the show aaa method-list command on the NAS to display the configuration.
NAS
Ruijie#show aaa method-list
Authentication method-list:
Accounting method-list:
Authorization method-list:
Assume that a user remotely logs in to the NAS through Telnet. The user is prompted to enter the username
and password on the CLI.
The user must enter the correct username and password to access the NAS.
User
User Access Verification
Username:user
Password:pass
1-17
Configuration Guide Configuring AAA
Configure an Enable authentication method list on the NAS containing group radius, local, and then enable methods in
order.
Scenario
Figure 1-6
You can define only one Enable authentication method list globally. You do not need to define the list
name but just default it. After that, it will be applied automatically.
NAS
Ruijie#configure terminal
Ruijie(config)#enable secret w
Ruijie(config)#aaa new-model
Verification Run the show aaa method-list command on the NAS to display the configuration.
NAS
Ruijie#show aaa method-list
Authentication method-list:
Accounting method-list:
Authorization method-list:
1-18
Configuration Guide Configuring AAA
The CLI displays an authentication prompt when the user level is updated to level 15. The user must enter
the correct username and password to access the NAS.
NAS
Ruijie>enable
Username:user
Password:pass
Ruijie#
Configure an 802.1X authentication method list on the NAS containing group radius, and then local methods in order.
Scenario
Figure 1-7
Ruijie(config)#aaa new-model
Ruijie(config-if-gigabitEthernet 0/1)#exit
Verification Run the show aaa method-list command on the NAS to display the configuration.
1-19
Configuration Guide Configuring AAA
NAS
Ruijie#show aaa method-list
Authentication method-list:
Accounting method-list:
Authorization method-list:
Common Errors
Notes
EXEC authorization is often used with login authentication, which can be implemented on the same line. Authorization
and authentication can be performed using different methods and servers. Therefore, the results of the same user may
be different. If a user passes login authentication but fails in EXEC authorization, the user cannot enter the CLI.
The authorization methods in an authorization scheme are executed in accordance with the method configuration
sequence. The next authorization method is executed only when the current method does not receive response. If
authorization fails using a method, the next method will be not tried.
Console authorization: The RGOS can differentiate between the users who log in through the Console and the users
who log in through other types of clients. You can enable or disable command authorization for the users who log in
through the Console. If command authorization is disabled for these users, the command authorization method list
applied to the Console line no longer takes effect.
Configuration Steps
Enabling AAA
Mandatory.
1-20
Configuration Guide Configuring AAA
Run the aaa authorization exec command to configure a method list of EXEC authorization.
This configuration is mandatory if you need to configure an EXEC authorization method list (including the configuration
of the default method list).
The default access permission level of EXEC users is the lowest. (Console users can connect to the NAS through the
Console port or Telnet. Each connection is counted as an EXEC user, for example, a Telnet user and SSH user.)
Run the aaa authorization commands command to configure a method list of command authorization.
This configuration is mandatory if you need to configure a command authorization method list (including the
configuration of the default method list).
Run the aaa authorization network command to configure a method list of network authorization.
This configuration is mandatory if you need to configure a network authorization method list (including the configuration
of the default method list).
Run the authorization exec command in line configuration mode to apply EXEC authorization methods to a specified
VTY line.
This configuration is mandatory if you need to apply an EXEC authorization method list to a specified VTY line.
By default, all VTY lines are associated with the default authorization method list.
Run the authorization commands command in line configuration mode to apply command authorization methods to a
specified VTY line.
This configuration is mandatory if you need to apply a command authorization method list to a specified VTY line.
By default, all VTY lines are associated with the default authorization method list.
Run the aaa authorization config-commands command to enable authorization for commands in configuration
modes.
1-21
Configuration Guide Configuring AAA
Run the aaa authorization console command to enable authorization for console users to run commands.
Verification
Related Commands
Enabling AAA
1-22
Configuration Guide Configuring AAA
group: Indicates that a server group is used for command authorization. Currently, the TACACS+ server
group is supported.
Command Global configuration mode
Mode
Usage Guide The RGOS supports authorization of the commands executable by users. When a user enters a command,
AAA sends the command to the authentication server. If the authentication server permits the execution, the
command is executed. If the authentication server forbids the execution, the command is not executed and a
message is displayed showing that the execution is rejected.
When you configure command authorization, specify the command level, which is used as the default level.
(For example, if a command above Level 14 is visible to users, the default level of the command is 14.)
After you configure command authorization methods, apply the methods to the VTY lines that require
command authorization; otherwise, the methods will not take effect.
Enabling Authorization for Commands in Configuration Modes (Including the Global Configuration Mode and
Sub-Modes)
1-23
Configuration Guide Configuring AAA
users can run commands in configuration mode and sub-modes without authorization.
Configuration Example
Configure login authentication and EXEC authorization for users on VTY lines 0 to 4. Login authentication is performed in
local mode, and EXEC authorization is performed on a RADIUS server. If the RADIUS server does not respond, users are
redirected to the local authorization.
Scenario
Figure 1-8
Ruijie(config)#aaa new-model
1-24
Configuration Guide Configuring AAA
Ruijie(config)#line vty 0 4
Ruijie(config-line)#exit
Verification Run the show run and show aaa method-list commands on the NAS to display the configuration.
NAS
Ruijie#show aaa method-list
Authentication method-list:
Accounting method-list:
Authorization method-list:
aaa new-model
line con 0
line vty 0 4
1-25
Configuration Guide Configuring AAA
End
Provide command authorization for login users according to the following default authorization method: Authorize level-15
commands first by using a TACACS+ server. If the TACACS+ server does not respond, local authorization is performed.
Authorization is applied to the users who log in through the Console and the users who log in through other types of clients.
Scenario
Figure 1-9
Ruijie(config)#aaa new-model
Verification Run the show run and show aaa method-list commands on the NAS to display the configuration.
NAS
Ruijie#show aaa method-list
Authentication method-list:
1-26
Configuration Guide Configuring AAA
Accounting method-list:
Authorization method-list:
Ruijie#show run
aaa new-model
nfpp
vlan 1
no service password-encryption
line con 0
line vty 0 4
end
1-27
Configuration Guide Configuring AAA
Scenario
Figure 1-10
Ruijie(config)#aaa new-model
Ruijie(config)# end
Verification Run the show aaa method-list command on the NAS to display the configuration.
NAS
Ruijie#show aaa method-list
Authentication method-list:
Accounting method-list:
Authorization method-list:
Common Errors
N/A
1-28
Configuration Guide Configuring AAA
Record the user login and logout processes and the commands executed by users during device management.
Notes
If an accounting scheme contains multiple accounting methods, these methods are executed according to the method
configuration sequence. The next accounting method is executed only when the current method does not receive
response. If accounting fails using a method, the next method will be not tried.
After the default accounting method list is configured, it is applied to all VTY lines automatically. If a non-default
accounting method list is applied to a line, it will replace the default one. If you apply an undefined method list to a line,
the system will display a message indicating that accounting on this line is ineffective. Accounting will take effect only
when a defined method list is applied.
EXEC accounting:
EXEC accounting is performed only when login authentication on the NAS is completed. EXEC accounting is not
performed if login authentication is not configured or the none method is used for authentication. If Start accounting is
not performed for a user upon login, Stop accounting will not be performed when the user logs out.
Command accounting
Configuration Steps
Enabling AAA
Mandatory.
Run the aaa accounting exec command to configure a method list of EXEC accounting.
This configuration is mandatory if you need to configure an EXEC accounting method list (including the configuration of
the default method list).
The default access permission level of EXEC users is the lowest. (Console users can connect to the NAS through the
Console port or Telnet. Each connection is counted as an EXEC user, for example, a Telnet user and SSH user.)
Run the aaa accounting commands command to configure a method list of command accounting.
This configuration is mandatory if you need to configure a command accounting method list (including the configuration
of the default method list).
1-29
Configuration Guide Configuring AAA
By default, no command accounting method list is configured. Only the TACACS+ protocol supports command
accounting.
Run the aaa accounting network command to configure a method list of network accounting.
This configuration is mandatory if you need to configure a network accounting method list (including the configuration of
the default method list).
Run the accounting exec command in line configuration mode to apply EXEC accounting methods to a specified VTY
line.
This configuration is mandatory if you need to apply an EXEC accounting method list to a specified VTY line.
You do not need to run this command if you apply the default method list.
By default, all VTY lines are associated with the default accounting method list.
Run the accounting commands command in line configuration mode to apply command accounting methods to a
specified VTY line.
This configuration is mandatory if you need to apply a command accounting method list to a specified VTY line.
You do not need to run this command if you apply the default method list.
By default, all VTY lines are associated with the default accounting method list.
Run the dot1x accounting network command to configure 802.1X network accounting methods.
This configuration is mandatory if you need to specify 802.1X network accounting methods.
You do not need to run this command if you apply the default method list.
By default, all VTY lines are associated with the default accounting method list.
Optional.
Optional.
It is recommended that the accounting update interval not be configured unless otherwise specified.
1-30
Configuration Guide Configuring AAA
Verification
Related Commands
Enabling AAA
Command aaa accounting commands level { default | list-name } start-stop method1 [ method2...]
Parameter level: Indicates the command level for which accounting will be performed. The value ranges from 0 to 15.
Description After a command of the configured level is executed, the accounting server records related information
based on the received accounting packet.
default: With this parameter used, the configured method list will be defaulted.
list-name: Indicates the name of a command accounting method list in characters.
method: Indicates authentication methods from none and group. A method list contains up to four methods.
1-31
Configuration Guide Configuring AAA
1-32
Configuration Guide Configuring AAA
Description
Command Global configuration mode
Mode
Usage Guide Accounting update cannot be used if the AAA services are not enabled. After the AAA services are enabled,
run this command to configure the accounting update interval.
Configuration Example
Configure login authentication and EXEC accounting for users on VTY lines 0 to 4. Login authentication is performed in local
mode, and EXEC accounting is performed on a RADIUS server.
Scenario
Figure 1-11
Ruijie(config)#aaa new-model
Ruijie(config)#line vty 0 4
Ruijie(config-line)#exit
Verification Run the show run and show aaa method-list commands on the NAS to display the configuration.
NAS
Ruijie#show aaa method-list
1-33
Configuration Guide Configuring AAA
Authentication method-list:
Accounting method-list:
Authorization method-list:
aaa new-model
line con 0
line vty 0 4
End
Configure command accounting for login users according to the default accounting method. Login authentication is
performed in local mode, and command accounting is performed on a TACACS+ server.
Scenario
Figure 1-12
1-34
Configuration Guide Configuring AAA
Ruijie(config)#aaa new-model
Verification Run the show aaa method-list command on the NAS to display the configuration.
NAS
Ruijie#show aaa method-list
Authentication method-list:
Accounting method-list:
Authorization method-list:
Ruijie#show run
aaa new-model
1-35
Configuration Guide Configuring AAA
nfpp
vlan 1
no service password-encryption
line con 0
line vty 0 4
end
Configure a network accounting method list for 802.1X STAs, and configure a RADIUS remote server for authentication and
accounting.
Scenario
Figure 1-13
1-36
Configuration Guide Configuring AAA
NAS
Ruijie#configure terminal
Ruijie(config)#aaa new-model
Ruijie(config-if-GigabitEthernet 0/1)#exit
Verification Run the show aaa method-list command on the NAS to display the configuration.
NAS
Ruijie#show aaa method-list
Authentication method-list:
Accounting method-list:
Authorization method-list:
Common Errors
N/A
Create a user-defined server group and add one or more servers to the group.
When you configure authentication, authorization, and accounting method lists, name the methods after the server
group name so that the servers in the group are used to handle authentication, authorization, and accounting requests.
Notes
1-37
Configuration Guide Configuring AAA
In a user-defined server group, you can specify and apply only the servers in the default server group.
Configuration Steps
Mandatory.
Assign a meaningful name to the user-defined server group. Do not use the predefined radius and tacacs+ keywords
in naming.
Mandatory.
Verification
Related Commands
Configuration Example
1-38
Configuration Guide Configuring AAA
Create RADIUS server groups named g1 and g2. The IP addresses of the servers in g1 are 10.1.1.1 and 10.1.1.2, and the IP
addresses of the servers in g2 are 10.1.1.3 and 10.1.1.4.
Scenario
Figure 1-14
Prerequisites 1. The required interfaces, IP addresses, and VLANs have been configured on the network,
network connections have been set up, and the routes from the NAS to servers are
reachable.
2. Enable AAA.
Configuration Step 1: Configure a server (which belongs to the default server group).
Steps Step 2: Create user-defined AAA server groups.
Step 3: Add servers to the AAA server groups.
NAS
Ruijie#configure terminal
Ruijie(config-gs-radius)#server 10.1.1.1
Ruijie(config-gs-radius)#server 10.1.1.2
Ruijie(config-gs-radius)#exit
Ruijie(config-gs-radius)#server 10.1.1.3
Ruijie(config-gs-radius)#server 10.1.1.4
Ruijie(config-gs-radius)#exit
1-39
Configuration Guide Configuring AAA
Verification Run the show aaa group and show run commands on the NAS to display the configuration.
NAS
Ruijie#show aaa group
radius 1 radius
tacacs+ 1 tacacs+
radius 1 g1
radius 1 g2
Ruijie#show run
server 10.1.1.1
server 10.1.1.2
server 10.1.1.3
server 10.1.1.4
Common Errors
For RADIUS servers that use non-default authentication and accounting ports, when you run the server command to
add servers, specify the authentication or accounting port.
1-40
Configuration Guide Configuring AAA
Notes
The AAA method lists that you select in domain configuration mode should be defined in advance. If the method lists
are not defined in advance, when you select them in domain configuration mode, the system prompts that the
configurations do not exist.
The names of the AAA method lists selected in domain configuration mode must be consistent with those of the method
lists defined for the AAA service. If they are inconsistent, the AAA service cannot be properly provided to the users in
the domain.
Default domain: After the domain-based AAA service is enabled, if a username does not carry domain information, the
AAA service is provided to the user based on the default domain. If the domain information carried by the username is
not configured in the system, the system determines that the user is unauthorized and will not provide the AAA service
to the user. If the default domain is not configured initially, it must be created manually.
When the domain-based AAA service is enabled, the default domain is not configured by default and needs to be
created manually. The default domain name is default. It is used to provide the AAA service to the users whose
usernames do not carry domain information. If the default domain is not configured, the AAA service is not available for
the users whose usernames do not carry domain information.
The domain names carried by usernames and those configured on the NAS are matched in the longest matching
principle. For example, if two domains, domain.com and domain.com.cn are configured on a NAS and a user sends a
request carrying aaa@domain.com, the NAS determines that the user belongs to domain.com, instead of
domain.com.cn.
If the username of an authenticated user carries domain information but the domain is not configured on the NAS, the
AAA service is not provided to the user.
Configuration Steps
Enabling AAA
Mandatory.
Mandatory.
Run the aaa domain enable command to enable the domain-based AAA service.
1-41
Configuration Guide Configuring AAA
Mandatory.
Run the aaa domain command to create a domain or enter the configured domain.
Run the authentication dot1x command to associate the domain with an 802.1X authentication method list.
This configuration is mandatory if you need to apply a specified 802.1X authentication method list to the domain.
Run the accounting network command to associate the domain with a network accounting method.
This configuration is mandatory if you need to apply a specified network accounting method list to the domain.
If a domain is not associated with a network accounting method list, by default, the global default method list is used for
accounting.
Run the authorization network command to associate the domain with a network authorization method list.
This configuration is mandatory if you need to apply a specified network authorization method list to the domain.
If a domain is not associated with a network authorization method list, by default, the global default method list is used
for authorization.
Optional.
When a domain is in Block state, the users in the domain cannot log in.
By default, after a domain is created, its state is Active, indicating that all the users in the domain are allowed to request
network services.
Optional.
By default, the usernames exchanged between the NAS and an authentication server carry domain information.
Optional.
By default, the maximum number of access users allowed in a domain is not limited.
Verification
1-42
Configuration Guide Configuring AAA
Related Commands
Enabling AAA
1-43
Configuration Guide Configuring AAA
Command
authentication web-auth { default | list-name }
1-44
Configuration Guide Configuring AAA
usernames when the NAS interacts with authentication servers in a specified domain.
Configuration Example
Configure authentication and accounting through a RADIUS server to 802.1X users (username: user@domain.com) that
access the NAS. The usernames that the NAS sends to the RADIUS server do not carry domain information, and the number
of access users is not limited.
Scenario
Figure 1-15
Configuration The following example shows how to configure RADIUS authentication and accounting, which requires the
Steps configuration of a RADIUS server in advance.
Step 1: Enable AAA.
Step 2: Define an AAA method list.
Step 3: Enable the domain-based AAA service.
Step 4: Create a domain.
Step 5: Associate the domain with the AAA method list.
Step 6: Configure the domain attribute.
NAS
Ruijie#configure terminal
Ruijie(config)#aaa new-model
1-45
Configuration Guide Configuring AAA
Verification Run the show run and show aaa domain command on the NAS to display the configuration.
NAS
Ruijie#show aaa domain domain.com
=============Domain domain.com=============
State: Active
Ruijie#show run
Building configuration...
co-operate enable
aaa new-model
1-46
Configuration Guide Configuring AAA
nfpp
no service password-encryption
line con 0
line vty 0 4
end
Common Errors
N/A
1.5 Monitoring
Clearing
Description Command
Clears the locked users. clear aaa local user lockout {all | user-name username }
Displaying
Description Command
Displays the accounting update information. show aaa accounting update
Displays the current domain configuration. show aaa domain
Displays the current lockout configuration. show aaa lockout
Displays the AAA server groups. show aaa group
Displays the AAA method lists. show aaa method-list
Displays the AAA users. show aaa user
1-47
Configuration Guide Configuring RADIUS
2 Configuring RADIUS
2.1 Overview
The Remote Authentication Dial-In User Service (RADIUS) is a distributed client/server system.
RADIUS works with the Authentication, Authorization, and Accounting (AAA) to conduct identity authentication on users who
attempt to access a network, to prevent unauthorized access. In RGOS implementation, a RADIUS client runs on a device or
Network Access Server (NAS) and transmits identity authentication requests to the central RADIOUS server, where all user
identity authentication information and network service information are stored. In addition to the authentication service, the
RADIUS server provides authorization and accounting services for access users.
RADIUS is often applied in network environments that have high security requirements and allow the access of remote users.
RADIUS is a completely open protocol and the RADIUS server is installed on many operating systems as a component, for
example, on UNIX, Windows 2000, and Windows 2008. Therefore, RADIUS is the most widely applied security server
currently.
The Dynamic Authorization Extensions to Remote Authentication Dial In User Service is defined in the IETF RFC3576. This
protocol defines a user offline management method. Devices communicate with the RADIUS server through the
Disconnect-Messages (DMs) to bring authenticated users offline. This protocol implements compatibility between devices of
different vendors and the RADIUS server in terms of user offline processing.
In the DM mechanism, the RADIUS server actively initiates a user offline request to a device, the device locates a user
according to the user session information, user name, and other information carried in the request and brings the user offline.
Then, the device returns a response packet that carries the processing result to the RADIUS server, thereby implementing
user offline management of the RADIUS server.
RFC3576: Dynamic Authorization Extensions to Remote Authentication Dial In User Service (RADIUS)
2.2 Applications
Application Description
Providing Authentication, Authentication, authorization, and accounting are conducted on access users on a
Authorization, and Accounting network, to prevent unauthorized access or operations.
2-1
Configuration Guide Configuring RADIUS
Application Description
Services for Access Users
Forcing Users to Go Offline The server forces an authenticated user to go offline.
RADIUS is typically applied in the authentication, authorization, and accounting of access users. A network device serves as
a RADIUS client and transmits user information to a RADIUS server. After completing processing, the RADIUS server
returns the authentication acceptance/authentication rejection/accounting response information to the RADIUS client. The
RADIUS client performs processing on the access user according to the response from the RADIUS server.
Remarks PC 1 and PC 2 are connected to the RADIUS client as access users in wired or wireless mode, and initiate
authentication and accounting requests.
The RADIUS client is usually an access switch or aggregate switch.
The RADIUS server can be a component built in the Windows 2000/2003, Server (IAS), or UNIX operating
system or dedicated server software provided by vendors.
Deployment
Configure access device information on the RADIUS server, including the IP address and shared key of the access
devices.
Configure the RADIUS server information on the RADIUS client, including the IP address and shared key.
Configure the network so that the RADIUS client communicates with the RADIUS server successfully.
The RADIUS server forces authenticated online users to go offline for the sake of management.
2-2
Configuration Guide Configuring RADIUS
Deployment
Enable the RADIUS dynamic authorization extension function on the RADIUS client.
2.3 Features
Basic Concepts
Client/Server Mode
Client: A RADIUS client initiates RADIUS requests and usually runs on a device or NAS. It transmits user information to
the RADIUS server, receives responses from the RADIUS server, and performs processing accordingly. The
processing includes accepting user access, rejecting user access, or collecting more user information for the RADIUS
server.
Server: Multiple RADIUS clients map to one RADIUS server. The RADIUS server maintains the IP addresses and
shared keys of all RADIUS clients as well as information on all authenticated users. It receives requests from a RADIUS
client, conducts authentication, authorization, and accounting, and returns processing information to the RADIUS client.
Code: Identifies the type of RADIUS packets, which occupies one byte. The following table lists the values and
meanings.
Identifier: Indicates the identifier for matching request packets and response packets, which occupies one byte. The
identifier values of request packets and response packets of the same type are the same.
2-3
Configuration Guide Configuring RADIUS
Length: Identifies the length of a whole RADIUS packet, which includes Code, Identifier, Length, Authenticator, and
Attributes. It occupies two bytes. Bytes that are beyond the Length field will be truncated. If the length of a received
packet is smaller than the value of Length, the packet is discarded.
Authenticator: Verifies response packets of the RADIUS server by a RADIUS client, which occupies 16 bytes. This field
is also used for encryption/decryption of user passwords.
Attributes: Carries authentication, authorization, and accounting information, with the length unfixed. The Attributes
field usually contains multiple attributes. Each attribute is represented in the Type, Length, Value (TLV) format. Type
occupies one byte and indicates the attribute type. The following table lists common attributes of RADIUS
authentication, authorization, and accounting. Length occupies one byte and indicates the attribute length, with the unit
of bytes. Value indicates the attribute information.
2-4
Configuration Guide Configuring RADIUS
Shared Key
A RADIUS client and a RADIUS server mutually confirm their identities by using a shared key during communication. The
shared key cannot be transmitted over a network. In addition, user passwords are encrypted for transmission for the sake of
security.
The RADIUS security protocol, also called RADIUS method, is configured in the form of a RADIUS server group. Each
RADIUS method corresponds to one RADIUS server group and one or more RADIUS severs can be added to one RADIUS
server group. For details about the RADIUS method, see the Configuring AAA. If you add multiple RADIUS servers to one
RADIUS server group, when the communication between a device and the first RADIUS server in this group fails or the first
RADIUS server becomes unreachable, the device automatically attempts to communicate with the next RADIUS server till
the communication is successful or the communication with all the RADIUS servers fails.
Standard attributes
The RFC standards specify the RADIUS attribute numbers and attribute content but do not specify the format of some
attribute types. Therefore, the format of attribute contents needs to be configured to adapt to different RADIUS server
requirements. Currently, the format of the RADIUS Calling-Station-ID attribute (attribute No.: 31) can be configured.
The RADIUS Calling-Station-ID attribute is used to identify user identities when a network device transmits request packets
to the RADIUS server. The RADIUS Calling-Station-ID attribute is a string, which can adopt multiple formats. It needs to
uniquely identify a user. Therefore, it is often set to the MAC address of a user. For example, when IEEE 802.1X
authentication is used, the Calling-Station-ID attribute is set to the MAC address of the device where the IEEE 802.1X client
is installed. The following table describes the format of MAC addresses.
2-5
Configuration Guide Configuring RADIUS
Format Description
Indicates the standard format specified in the IETF standard (RFC3580), which is
Ietf separated by the separator (-). Example:
00-D0-F8-33-22-AC
Indicates the common format that represents a MAC address (dotted hexadecimal
Normal format), which is separated by the separator (.). Example:
00d0.f833.22ac
Indicates the format without separators. This format is used by default. Example:
Unformatted
00d0f83322ac
Private attributes
RADIUS is an extensible protocol. According to RFC2865, the Vendor-Specific attribute (attribute No.: 26) is used by device
vendors to extend the RADIUS protocol to implement private functions or functions that are not defined in the standard
RADIUS protocol. Table 1-3 lists private attributes supported by Ruijie products. The TYPE column indicates the default
configuration of private attributes of Ruijie products and the Extended TYPE column indicates the default configuration of
private attributes of other non-Ruijie products.
2-6
Configuration Guide Configuring RADIUS
Overview
Feature Description
RADIUS Authentication, Conducts identity authentication and accounting on access users, safeguards network
Authorization, and Accounting security, and facilitates management for network administrators.
Source Address of RADIUS Specifies the source IP address used by a RADIUS client to transmit packets to a RADIUS
Packets server.
RADIUS Timeout Specifies the packet retransmission parameter for a RADIUS client when a RADIUS server
Retransmission does not respond to packets transmitted from the RADIUS client within a period of time.
RADIUS Server Accessibility Enables a RADIUS client to actively detect whether a RADIUS server is reachable and
Detection maintain the accessibility of each RADIUS server. A reachable RADIUS server is selected
preferentially to improve the handling performance of RADIUS services.
RADIUS Forced Offline Enables a RADIUS server to actively force authenticated users to go offline.
Working Principle
2-7
Configuration Guide Configuring RADIUS
Figure 2-2
1. A user enters the user name and password and transmits them to the RADIUS client.
2. After receiving the user name and password, the RADIUS client transmits an authentication request packet to the
RADIUS server. The password is encrypted for transmission. For the encryption method, see RFC2865.
3. The RADIUS server accepts or rejects the authentication request according to the user name and password. When
accepting the authentication request, the RADIUS server also issues authorization information apart from the
authentication acceptance information. The authorization information varies with the type of access users.
1. If the RADIUS server returns authentication acceptance information in Step (3), the RADIUS client sends an accounting
start request packet to the RADIUS server immediately.
2. The RADIUS server returns the accounting start response packet, indicating accounting start.
3. The user stops accessing network resources and requests the RADIUS client to disconnect the network connection.
4. The RADIUS client transmits the accounting end request packet to the RADIUS server.
5. The RADIUS server returns the accounting end response packet, indicating accounting end.
2-8
Configuration Guide Configuring RADIUS
Related Configuration
You can run the radius-server host command to configure a RADIUS server.
At least one RADIUS server must be configured so that RADIUS services run normally.
You can run the aaa authentication command to configure a method list for different user types and select group radius
when setting the authentication method.
The RADIUS authentication can be conducted only after the AAA authentication method list of relevant user types is
configured.
You can run the aaa authorization command to configure an authorization method list for different user types and select
group radius when setting the authorization method.
The RADIUS authorization can be conducted only after the AAA authorization method list of relevant user types is
configured.
You can run the aaa accounting command to configure an accounting method list for different user types and select group
radius when setting the accounting method.
The RADIUS accounting can be conducted only after the AAA accounting method list of relevant user types is configured.
Working Principle
When configuring RADIUS, specify the source IP address to be used by a RADIUS client to transmit RADIUS packets to a
RADIUS server, in an effort to reduce the workload of maintaining a large amount of NAS information on the RADIUS server.
Related Configuration
The global routing is used to determine the source address for transmitting RADIUS packets by default.
Run the ip radius source-interface command to specify the source interface for transmitting RADIUS packets. The device
uses the first IP address of the specified interface as the source address of RADIUS packets.
2-9
Configuration Guide Configuring RADIUS
After a RADIUS client transmits a packet to a RADIUS server, a timer is started to detect the response of the RADIUS server.
If the RADIUS server does not respond within a certain period of time, the RADIUS client retransmits the packet.
Related Configuration
You can run the radius-server timeout command to configure the timeout time. The value ranges from 1 second to 1,000
seconds.
The response time of a RADIUS server is relevant to its performance and the network environment. Set an appropriate
timeout time according to actual conditions.
You can run the radius-server retransmit command to configure the retransmission count. The value ranges from 1 to 100.
You can run the radius-server account update retransmit command to configure retransmission of accounting update
packets for authenticated users.
A RADIUS client actively detects whether a RADIUS server is reachable and maintains the accessibility of each RADIUS
server. A reachable RADIUS server is selected preferentially to improve the handling performance of RADIUS services.
Related Configuration
Configuring the Criteria for the Device to Judge That a RADIUS Server Is Unreachable
The default criteria configured for judging that a RADIUS server is unreachable meet the two conditions simultaneously: 1.
The device does not receive a correct response packet from the RADIUS security server within 60 seconds. 2. The device
transmits the request packet to the same RADIUS security server for consecutive 10 times.
You can run the radius-server dead-criteria command to configure the criteria for the device to judge that the RADIUS
security server is unreachable.
Configuring the Test User Name for Actively Detecting the RADIUS Security Server
2-10
Configuration Guide Configuring RADIUS
No test user name is specified for actively detecting the RADIUS security server by default.
You can run the radius-server host x.x.x.xtestusername xxx command to configure the test user name.
Figure 2-3 DM Message Exchange of the RADIUS Dynamic Authorization Extension Protocol
The preceding figure shows the exchange of DM messages between the RADIUS server and the device. The RADIUS
server transmits the Disconnect-Request message to UDP Port 3799 of the device. After processing, the device returns the
Disconnect-Response message that carries the processing result to the RADIUS server.
Related Configuration
N/A
2.4 Configuration
2-11
Configuration Guide Configuring RADIUS
(Optional) It is used to detect whether a RADIUS server is reachable and maintain the
accessibility of the RADIUS server.
Configures the global criteria for judging that a
radius-server dead-criteria
RADIUS security server is unreachable.
Configuring RADIUS Configures the duration for the device to stop
Accessibility Detection radius-server deadtime transmitting request packets to an unreachable
RADIUS server.
Configures the IP address of the remote RADIUS
radius-server host security server, authentication port, accounting port,
and active detection parameters.
RADIUS authentication, authorization, and accounting can be conducted after RADIUS basic configuration is complete.
Notes
Before configuring RADIUS on the device, ensure that the network communication of the RADIUS server is in good
condition.
When running the ip radius source-interface command to configure the source address of RADIUS packets, ensure
that the device of the source IP address communicates with the RADIUS server successfully.
When conducting RADIUS IPv6 authentication, ensure that the RADIUS server supports RADIUS IPv6 authentication.
2-12
Configuration Guide Configuring RADIUS
Configuration Steps
Mandatory.
Configure the IP address, authentication port, accounting port, and shard key of the RADIUS security server.
Configuring the Shared Key for Communication Between the Device and the RADIUS Server
Optional.
Configure a shared key in global configuration mode for servers without a shared key.
The shared key on the device must be consistent with that on the RADIUS server.
Configuring the Request Transmission Count, After Which the Device Confirms That a RADIUS Server Is
Unreachable
Optional.
Configure the request transmission count, after which the device confirms that a RADIUS server is unreachable,
according to the actual network environment.
Configuring the Waiting Time, After which the Device Retransmits a Request
Optional.
Configure the waiting time, after which the device retransmits a request, according to the actual network environment.
In an 802.1X authentication environment that uses the RADIUS security protocol, if a network device serves as the
802.1X authenticator and Ruijie SU is used as the 802.1X client software, it is recommended that radius-server
timeout be set to 3 seconds (the default value is 5 seconds) and radius-server retransmit be set to 2 (the default
value is 3) on the network device.
Optional.
Determine whether to enable the function of retransmitting accounting update packets of authenticated users according
to actual requirements.
Optional.
Configure the source address of RADIUS packets according to the actual network environment.
Verification
Configure the AAA method list that specifies to conduct authentication, authorization, and accounting on users by using
RADIUS.
2-13
Configuration Guide Configuring RADIUS
Enable the device to interact with the RADIUS server. Conduct packet capture to confirm that the device communicates
with the RADIUS server over the RADIUS protocol.
Related Commands
Configuring the Shared Key for Communication Between the Device and the RADIUS Server
Configuring the Request Transmission Count, After Which the Device Confirms That a RADIUS Server Is
Unreachable
2-14
Configuration Guide Configuring RADIUS
Configuring the Waiting Time, After which the Device Retransmits a Request
Configuration Example
2-15
Configuration Guide Configuring RADIUS
Scenario
Figure 2-4
Verification Telnet to a device from a PC. The screen requesting the user name and password is displayed. Enter the
correct user name and password to log in to the device. After obtaining a certain access level granted by the
server, only run commands under this access level. Display the authentication log of the user on the
RADIUS server. Perform management operations on the device as the user and then log out. Display the
accounting information on the user on the RADIUS server.
Ruijie#show running-config
2-16
Configuration Guide Configuring RADIUS
aaa new-model
no service password-encryption
iptcp not-send-rst
vlan 1
line con 0
line vty 0 4
Common Errors
The key configured on the device is inconsistent with that configured on the server.
Define the attribute processing adopted when the device encapsulates and parses RADIUS packets.
Notes
Private attributes involved in "Configuring the RADIUS Attribute Type" refer to Ruijie private attributes.
Configuration Steps
2-17
Configuration Guide Configuring RADIUS
Optional.
Set the MAC address format of Calling-Station-Id to a type supported by the server.
Optional.
Configure the parsing mode of the Class attribute according to the server type.
Optional.
If the server is a Ruijie application server, the RADIUS private attribute type needs to be configured.
Setting the Private Attribute port-priority Issued by the Server to the COS Value of an Interface
Optional.
Set the private attribute port-priority issued by the server to the COS value of an interface as required.
Optional.
Configure whether the device supports the RADIUS CUI attribute as required.
Optional.
Configure the index of a Ruijie private attribute parsed by the device as required.
Optional.
Configure whether to specify the attribute type for RADIUS authentication request packets as required.
Optional.
Configure whether to specify the attribute type for RADIUS accounting request packets as required.
Configuring Whether RADIUS Authentication Request Packets Carry the Private Attribute of a Specified Vendor
Optional.
Configure whether RADIUS authentication request packets carry the private attribute of a specified vendor as required.
Configuring Whether RADIUS Accounting Request Packets Carry the Private Attribute of a Specified Vendor
Optional.
Configure whether RADIUS accounting request packets carry the private attribute of a specified vendor as required.
2-18
Configuration Guide Configuring RADIUS
Configuring Whether RADIUS Server Parses the Private Attribute of Cisco, Huawei or Microsoft
Optional.
Configure whether RADIUS server parses the private attribute of Cisco, Huawei or Microsoft.
Optional.
In either QINQ or non-QINQ scenarios, configure the nas-nort-id encapsulation format for RADIUS packets. By default,
the packets are encapsulated in the normal format.
Verification
Configure the AAA method list that specifies to conduct authentication, authorization, and accounting on users by using
RADIUS.
Enable the device to interact with the RADIUS server. Conduct packet capture to display the MAC address format of
Calling-Station-Id.
Enable the device to interact with the RADIUS server. Display the debug information of the device to check that Ruijie
private attributes are correctly parsed by the device.
Enable the device to interact with the RADIUS server. Display the debug information of the device to check that the CUI
attribute is correctly parsed by the device.
Related Commands
2-19
Configuration Guide Configuring RADIUS
Mode
Usage Guide Configure this command if the server needs to issue the rate limit value by using the Class attribute.
Setting the Private Attribute port-priority Issued by the Server to the COS Value of an Interface
Configuring Whether RADIUS Authentication Request Packets Carry the Private Attribute of a Specified Vendor
2-20
Configuration Guide Configuring RADIUS
Parameter vendor_name: Indicates the vendor name. It can be set to cmcc, Microsoft, or cisco.
Description
Command Global configuration mode
Mode
Usage Guide Use this command to configure whether authentication request packets carry the private attribute of a
specified vendor.
Configuring Whether RADIUS Accounting Request Packets Carry the Private Attribute of a Specified Vendor
Configuration Example
Configure the RAIUDS server not to parse Cisoc’s private attributes contained in packets.
Ruijie(config)#radiussetqoscos
Ruijie(config)#radiussupport cui
2-21
Configuration Guide Configuring RADIUS
Verification Conduct packet capture or display debug information of the device to check whether the RADIUS standard
attributes and private attributes are encapsulated/parsed correctly.
The device maintains the accessibility status of each configured RADIUS server: reachable or unreachable. The device will
not transmit authentication, authorization, and accounting requests of access users to an unreachable RADIUS server unless
all the other servers in the same RADIUS server group as the unreachable server are all unreachable.
The device actively detects a specified RADIUS server. The active detection function is disabled by default. If the active
detection function is enabled for a specified RADIUS server, the device will, according to the configuration, periodically
transmits detection requests (authentication requests or accounting requests) to the RADIUS server. The transmission
interval is as follows:
For a reachable RADIUS server, the interval is the active detection interval of the reachable RADIUS server (the default
value is 60 minutes).
Notes
All the following conditions need to be met before the active detection function is enabled for a specified RADIUS server:
The test user name of the RADIUS server is configured on the device.
At least one tested port (authentication port or accounting port) of the RADIUS server is configured on the device.
If the following two conditions are all met, it is deemed that a reachable RADIUS server becomes unreachable:
After the previous correct response is received from the RADIUS server, the time set in radius-server dead-criteria
time seconds has elapsed.
After the previous correct response is received from the RADIUS server, the count that the device transmits requests to
the RADIUS server but fails to receive correct responses (including retransmission) reaches the value set in
radius-server dead-criteria tries number.
If any of the following conditions is met, it is deemed that an unreachable RADIUS server becomes reachable:
The duration that the RADIUS server is in the unreachable state exceeds the time set in radius-server deadtime and
the active detection function is disabled for the RADIUS server.
The authentication port or accounting port of the RADIUS server is updated on the device.
Configuration Steps
Configuring the Global Criteria for Judging That a RADIUS Security Server Is Unreachable
Mandatory.
2-22
Configuration Guide Configuring RADIUS
Configuring the global criteria for judging that a RADIUS security server is unreachable is a prerequisite for enabling the
active detection function.
Configuring the IP Address of the Remote RADIUS Security Server, Authentication Port, Accounting Port, and
Active Detection Parameters
Mandatory.
Configuring active detection parameters of the RADIUS server is a prerequisite for enabling the active detection
function.
Configuring the Duration for the Device to Stop Transmitting Request Packets to an Unreachable RADIUS
Server
Optional.
The configured duration for the device to stop transmitting request packets to an unreachable RADIUS server takes
effect only when the active detection function is disabled for the RADIUS server.
Verification
Run the show radius server command to display the accessibility information of each RADIUS server.
Related Commands
Configuring the Global Criteria for Judging That a RADIUS Security Server Is Unreachable
Configuring the Duration for the Device to Stop Transmitting Request Packets to an Unreachable RADIUS
Server
2-23
Configuration Guide Configuring RADIUS
Mode
Usage Guide If the active detection function is enabled for a RADIUS security server on the device, the time parameter in
radius-server deadtime does not take effect on the RADIUS server. If the active detection function is
disabled for a RADIUS security server, the device automatically restores the RADIUS security server to the
reachable state when the duration that the RADIUS security server is in the unreachable state exceeds the
time specified in radius-server deadtime.
Configuration Example
Scenario
Figure 2-5
Configuration Configure the global criteria for judging that a RADIUS security server is unreachable.
Steps Configure the IP address of the remote RADIUS security server, authentication port, accounting port,
and active detection parameters.
RADIUS
Ruijie(config)#radius-server dead-criteria time120 tries 5
Client
Ruijie(config)# radius-server host 192.168.5.22 test username test ignore-acct-port idle-time 90
Verification Disconnect the network communication between the device and the server with the IP address of
192.168.5.22.Conduct RADIUS authentication through the device. After 120 seconds, run the show radius
server command to check that the server state is dead.
Ruijie#show running-config
2.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
2-24
Configuration Guide Configuring RADIUS
Displaying
Description Command
Displays global parameters of the show radius parameter
RADIUS server.
Displays the configuration of the show radius server
RADIUS server.
Displays statistics relevant to the show radius dynamic-authorization-extension statistics
RADIUS dynamic authorization
extension function.
Displays statistics relevant to show radius auth statistics
RADIUS authentication.
Displays statistics relevant to show radius acct statistics
RADIUS accounting.
Displays configuration of RADIUS show radius group
server groups.
Displays RADIUS standard Show radius attribute
attributes.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs the RADIUS event. debugradiusevent
Debugs RADIUS packet printing. debugradiusdetail
Debugs the RADIUS dynamic debug radiusextension event
authorization extension function.
Debugs the RADIUS dynamic debug radius extension detail
authorization extension packet
printing.
2-25
Configuration Guide Configuring TACACS+
3 Configuring TACACS+
3.1 Overview
TACACS+ is a security protocol enhanced in functions based on the Terminal Access Controller Access Control System
(TACACS) protocol. It is used to implement the authentication, authorization, and accounting (AAA) of multiple users.
3.2 Applications
Application Description
Managing and Controlling Login of Password verification and authorization need to be conducted on end users.
End Users
TACACS+ is typically applied in the login management and control of end users. A network device serves as the TACACS+
client and sends a user name and password to the TACACS+ server for verification. The user is allowed to log in to the
network device and perform operations after passing the verification and obtaining authorization. See the following figure.
Figure 3-1
3-1
Configuration Guide Configuring TACACS+
Deployment
Start the TACACS+ server on Server B, Server C, and Server D, and configure information on the access device
(Device A) so that the servers provide TACACS+-based AAA function for the access device. Enable the AAA function
on Device A to start authentication for the user login.
Enable the TACACS+ client function on Device A, add the IP addresses of the TACACS+ servers (Server B, Server C,
and Server D) and the shared key so that Device A communicates with the TACACS+ servers over TACACS+ to
implement the AAA function.
3.3 Features
Basic Concepts
Figure 3-2
Packet Type: Indicates the type of packets, with the options including:
TAC_PLUS_AUTHEN: = 0x01 (authentication);
TAC_PLUS_AUTHOR: = 0x02 (authorization);
TAC_PLUS_ACCT: = 0x03 (accounting)
Sequence Number: Indicates the sequence number of a data packet in the current session. The sequence number of
the first TACACS+ data packet in a session must be 1 and the sequence number of subsequent each data packet
increases by one. Therefore, the client sends data packets only with an odd sequence number and TACACS+ Daemon
sends packets only with an even sequence number.
Flags: Contains various bitmap format flags. One of the bits in the value specifies whether data packets need to be
encrypted.
Length: Indicates the body length of a TACACS+ data packet (excluding the header). Packets are encrypted for
transmission on a network.
Overview
3-2
Configuration Guide Configuring TACACS+
Feature Description
TACACS+ Authentication, Conducts authentication, authorization, and accounting on end users.
Authorization, and
Accounting
The following figure uses basic authentication, authorization, and accounting of user login to describe interaction of
TACACS+ data packets.
Figure 3-3
2) After receiving the request, the TACACS+ client sends an authentication start packet to the TACACS+ server.
3) The TACACS+ server returns an authentication response packet, requesting the user name.
3-3
Configuration Guide Configuring TACACS+
4) The TACACS+ client requests the user to enter the user name.
6) After receiving the user name, the TACACS+ client sends an authentication continuation packet that carries the
user name to the TACACS+ server.
7) The TACACS+ server returns an authentication response packet, requesting the login password.
8) The TACACS+ client requests the user to enter the login password.
10) After receiving the login password, the TACACS+ client sends an authentication continuation packet that carries
the login password to the TACACS+ server.
11) The TACACS+ server returns an authentication response packet, prompting that the user passes authentication.
1) The TACACS+ client sends an authorization request packet to the TACACS+ server.
2) The TACACS+ server returns an authorization response packet, prompting that the user passes authorization.
3) After receiving the authorization success packet, the TACACS+ client outputs the network device configuration
screen for the user.
3. Accounting and audit need to be conducted on the login user after successful authorization:
1) The TACACS+ client sends an accounting start packet to the TACACS+ server.
2) The TACACS+ server returns an accounting response packet, prompting that the accounting start packet has
been received.
3-4
Configuration Guide Configuring TACACS+
4) The TACACS+ client sends an accounting end packet to the TACACS+ server.
5) The TACACS+ server returns an accounting response packet, prompting that the accounting end packet has been
received.
3.4 Configuration
The TACACS+ basic functions are available after the configuration is complete. When configuring the AAA method list,
specify the method of using TACACS+ to implement TACACS+ authentication, authorization, and accounting.
When authentication, authorization, and accounting operations are performed, TACACS+ initiates the authentication,
authorization, and accounting requests to configured TACACS+ servers according to the configured sequence. If
response timeout occurs on a TACACS+ server, TACACS+ traverses the TACACS+ server list in sequence.
Notes
The TACACS+ security service is a type of AAA service. You need to run the aaa new-model command to enable the
security service.
Only one security service is provided after TACACS+ basic functions are configured. To make the TACACS+ functions
take effect, specify the TACACS+ service when configuring the AAA method list.
Configuration Steps
Enabling AAA
Mandatory. The AAA method list can be configured only after AAA is enabled. TACACS+ provides services according
to the AAA method list.
Mandatory. Otherwise, a device cannot communicate with the TACACS+ server to implement the AAA function.
3-5
Configuration Guide Configuring TACACS+
Command tacacs-server host {ipv4-address | ipv6-address} [ portinteger ] [ timeout integer ] [ key [ 0 | 7 ] text-string ]
Parameter ipv4-address: Indicates the IPv4 address of the TACACS+ server.
Description ipv6-address: Indicates the IPv6 address of the TACACS+ server.
portinteger: Indicates the TCP port used for TACACS+ communication. The default TCP port is 49.
timeout integer: Indicates the timeout time of the communication with the TACACS+ server. The global
timeout time is used by default.
key [ 0 | 7 ] text-string: Indicates the shared key of the server. The global key is used if it is not configured.
An encryption type can be specified for the configured key. The value 0 indicates no encryption and 7
indicates simple encryption. The default value is 0.
Defaults No TACACS+ server is configured.
Command Global configuration mode
Mode
Usage Guide
1. You can specify the shared key of the server when configuring the IP address of the server. If no
shared key is specified, the global key configured using the tacacs-server key command is used as the
shared key of the server. The shared key must be completely the same as that configured on the server.
2. You can specify the communication port of the server when configuring the IP address.
3. You can specify the communication timeout time of the server when configuring the IP address.
Optional.
If no global communication protocol is configured using this command, set key to specify the shared key of the server
when running the tacacs-server host command to add server information. Otherwise, a device cannot communicate
with the TACACS+ server.
If no shared key is specified by using key when you run the tacacs-server host command to add server information,
the global key is used.
Optional.
You can set the timeout time to a large value when the link between the device and the server is unstable.
3-6
Configuration Guide Configuring TACACS+
Verification
Configure the AAA method list that specifies to conduct authentication, authorization, and accounting on users by using
TACACS+.
Enable the device to interact with the TACACS+ server and conduct packet capture to check the TACACS+ interaction
process between the device and the TACACS+ server.
View server logs to check whether the authentication, authorization, and accounting are normal.
Configuration Example
Scenario
Figure 3-4
Remarks
A is a client that initiates TACACS+ requests.
3-7
Configuration Guide Configuring TACACS+
Verification Telnet to a device from a PC. The screen requesting the user name and password is displayed. Enter the
correct user name and password to log in to the device. View the authentication log of the user on the
TACACS+ server.
Common Errors
The key configured on the device is inconsistent with the key configured on the server.
The authentication, authorization, and accounting in the security service are processed by different TACACS+ servers,
which improves security and achieves load balancing to a certain extent.
Notes
The TACACS+ security service is a type of AAA service. You need to run the aaa new-model command to enable the
security service.
Only one security service is provided after TACACS+ basic functions are configured. To make the TACACS+ functions
take effect, specify the TACACS+ service when configuring the AAA method list.
Configuration Steps
Mandatory. There is only one TACACS+ server group by default, which cannot implement separate processing of
authentication, authorization, and accounting.
Three TACACS+ server groups need to be configured for separately processing authentication, authorization, and
accounting.
3-8
Configuration Guide Configuring TACACS+
server groups.
Mandatory. If no server is added to a server group, a device cannot communicate with TACACS+ servers.
In server group configuration mode, add the servers that are configured using the tacacs-server host command.
Verification
Configure the AAA method list that specifies to conduct authentication, authorization, and accounting on users by using
TACACS+.
Enable a device to interact with TACACS+ servers. Conduct packet capture, check that the authentication,
authorization, and accounting packets are interacted with different servers, and check the source addresses in packets.
Configuration Example
Configuring Different TACACS+ Server Groups for Separately Processing Authentication, Authorization, and
Accounting
Scenario
Figure 3-5
3-9
Configuration Guide Configuring TACACS+
Remarks
A is a client that initiates TACACS+ requests.
Ruijie(config-gs-tacacs)# exit
Ruijie(config-gs-tacacs)# exit
Ruijie(config-gs-tacacs)# exit
3-10
Configuration Guide Configuring TACACS+
Verification Telnet to a device from a PC. The screen requesting the user name and password is displayed. Enter the
correct user name and password to log in to the device. Enter the enable command and enter the correct
enable password to initiate enable authentication. Enter the privilege EXEC mode after passing the
authentication. Perform operations on the device and then exit the device.
View the authentication log of the user on the server with the IP address of 192.168.5.22.
View the enable authentication log of the user on the server with the IP address of 192.168.5.22.
View the exec authorization log of the user on the server with the IP address of 192.168.5.34.
View the command accounting log of the user on the server with the IP address of 192.168.5.44.
Common Errors
The key configured on the device is inconsistent with the key configured on the server.
3.5 Monitoring
Displaying
Description Command
Displays interaction with each TACACS+ show tacacs
server.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs TACACS+. debug tacacs+
3-11
Configuration Guide Configuring 802.1X
4 Configuring 802.1X
4.1 Overview
IEEE 802.1X is a standard for port-based network access control that provides secure access service for local area networks
(LANs).
In IEEE 802-compliant LANs, users connecting to the network access devices (NASs) can access network resources without
authentication and authorization, bringing security risks to the network. IEEE 802.1X was proposed to resolve security
problems of such LANs.
802.1X supports three security applications: authentication, authorization, and accounting, which are called AAA.
Authentication: Checks whether to allow user access and restricts unauthorized users.
Authorization: Grants specified services to users and controls permissions of authorized users.
Accounting: Records network resource status of users to provide statistics for charges.
802.1X can be deployed in a network to realize user authentication, authorization and other functions.
4.2 Applications
Application Description
Wired 802.1X Authentication To ensure secure admission on the campus network, 802.1X authentication is
deployed on access switches.
The campus network is deployed at the access, convergence, and core layers. 802.1X is deployed on access switches
connected to dormitories to perform secure admission. Dormitory users must pass 802.1X authentication before accessing
the campus network.
User ends must be installed with 802.1X clients (which can come with the operating system, or others like Ruijie
Supplicant).
4-1
Configuration Guide Configuring 802.1X
One or multiple Remote Authentication Dial-In User Service (RADIUS) servers perform authentication.
Figure 4-1
Remarks The supplicant software installed on the user ends (or software coming with the operating system) performs
802.1X authentication. 802.1X authentication is deployed on access switches, convergence switches, or core
switches. The RADIUS server runs the RADIUS server software to perform identity verification.
Deployment
Enable 802.1X authentication on ports between access switches and users to make ports controllable. Only
authenticated users on one port can access the network.
Configure an AAA authentication method list so that 802.1X can adopt the appropriate method and authentication
server.
Configure RADIUS parameters to ensure proper communication between a switch and the RADIUS server. For details,
see the Configuring RDS.
If a Ruijie RADIUS server is used, configure SNMP parameters to allow the RADIUS server to manage devices, such as
querying and setting.
Configure the port between the access switch and the RADIUS server as an uncontrolled port to ensure proper
communication between them.
Create an account on the RADIUS server, register the IP address of an access switch, and configure RADIUS-related
parameters. Only in this case, can the RADIUS server respond to the requests of the switch.
4-2
Configuration Guide Configuring 802.1X
MAC address bypass (MAB) auto authentication indicates that MAB authentication is performed together with Web
authentication. In the original wireless Web authentication scenario, it is complained that the ease-to-use performance of
Web authentication is poor. During each Web authentication, a user needs to associate the STA with an SSID, open the
browser, and enter the user name and password. In addition, if the STA drops out of the network, the STA cannot
automatically access the network again. To ensure that all Web authenticated STAs are always online and access the
network imperceptibly, MAB auto authentication is proposed. After a STA passes Web authentication, the STA can access
the network again imperceptibly without Web authentication.
One or multiple RADIUS servers provide authentication. In addition, the authentication server supports the
authentication mode of using the MAC address as the user name and password.
Figure 4-2
Radius Server
AC
AP1 AP2
Remarks Wireless MAB authentication is triggered by a STA advertisement. When a STA is already online, MAB
authentication will not be triggered again. If MAB authentication fails, it can be triggered again only after the STA
4-3
Configuration Guide Configuring 802.1X
Deployment
Enable Web authentication, DOT1X authentication, and MAB authentication on the interface of the AC. MAB
authentication can be performed only after DOT1X authentication is enabled. (For details about MAB authentication,
see section 4.4.5 "Configuring MAB Auto Authentication". For details about Web authentication, see the
WEB-AUTH-SCG document.)
Configure an AAA authentication method list, so that a correct method and authentication server can be used for
MAB/Web authentication. (For details about the AAA authentication method list configuration, see the AAA-SCG
document.)
Configure RADIUS parameters to ensure proper communication between the AC and the RADIUS server. In addition,
configure the RADIUS server to support the authentication mode of using the MAC address as the user name and
password. For details about the RADIUS configuration, see the corresponding configuration guide.
If a Ruijie RADIUS server is used, configure SNMP parameters to allow the RADIUS server to perform operations such
as querying and setting on the AP.
Create an account on the RADIUS server, register the IP address of the AC, and configure RADIUS-related parameters.
The RADIUS server can respond to the requests of the AP and AC only after the foregoing settings are completed.
4.3 Features
Basic Concepts
User
In wired environment, 802.1X is a LAN-based protocol. It identifies users based on physical information but not accounts. In a
LAN, a user is identified by the MAC address and VLAN ID (VID). Except them, all other information such as the account ID
and IP address can be changed.
RADIUS
RADIUS is a remote authentication protocol defined in RFC2865, which get wide practice. Using this protocol, the
authentication server can remotely deploy and perform authentication. During 802.1X deployment, the authentication server
is remotely deployed, and 802.1X authentication information between the NAS and the authentication server is transmitted
through RADIUS.
Timeout
During authentication, an NAS needs to communicate with the authentication client and server. If the authentication client or
server times out, not responding within the time specified by 802.1X, authentication will fail. During deployment, ensure that
the timeout specified by 802.1X is longer than that specified by RADIUS.
MAB
4-4
Configuration Guide Configuring 802.1X
MAC address bypass (MAB) authentication means that the MAC address is used as the user name and password for
authentication. Since Ruijie Supplicant cannot be installed on some dumb ends such as network printers, use MAB to
perform security control.
EAP
802.1X uses Extensible Authentication Protocol (EAP) to carry authentication information. Defined in RFC3748, EAP
provides a universal authentication framework, in which multiple authentication modes are embedded, including Message
Digest Algorithm 5 (MD5), Challenge Handshake Authentication Protocol (CHAP), Password Authentication Protocol (PAP),
and Transport Layer Security (TLS). Ruijie 802.1X authentication supports various modes including MD5, CHAP, PAP,
PEAP-MSCHAP, and TLS.
Authorization
Authorization means to bind specified services to authenticated users, such as IP address, VLAN, Access Control List (ACL),
and Quality of Service (QoS).
Accounting
Accounting performs network audit on network usage duration and traffic for users, which facilitates network operation,
maintenance, and management.
Some RADIUS servers such as RG-SAM\RG-SMP servers need to check the online/offline status based on accounting
packets. Therefore, accounting must be enabled on these RADIUS servers.
Overview
Feature Description
Authentication Provides secure admission for users. Only authenticated users can access the network.
Authorization Grants network access rights to authenticated users, such as IP address binding and ACL binding
Accounting Provides online record audit, such as online duration and traffic.
4.3.1 Authentication
Authentication aims to check whether users are authorized and prevent unauthorized users from accessing the network.
Users must pass authentication to obtain the network access permission. They can access the network only after the
authentication server verifies the account. Before user authentication succeeds, only EAPOL packets (Extensible
Authentication Protocol over LAN, 802.1X packets) can be transmitted over the network for authentication.
Working Principle
802.1X authentication is very simple. After a user submits its account information, the NAS sends the account information to
the remote RADIUS server for identity authentication. If the authentication succeeds, the user can access the network.
Roles in Authentication
802.1X authentication involves three roles: supplicant, authenticator, and server. In real applications, their respective roles
are client, network access server (NAS), and authentication server (mostly RADIUS server).
4-5
Configuration Guide Configuring 802.1X
Figure 4-3
Supplicant
The supplicant is the role of end users, usually a PC. It requests to access network services and replies to the request
packets of the authenticator. The supplicant must run software compliant with the 802.1X standard. Except the typical 802.1X
client support embedded in the operating system, Ruijie has launched a Ruijie Supplicant compliant with the 802.1X
standard.
Authenticator
The authenticator is usually an NAS such as a switch access hotspot. It controls the network connection of a client based on
the client's authentication status. As a proxy between the client and the authentication server, the authenticator requests the
user name from the client, verifies the authentication information from the authentication server, and forwards it to the client.
Except as the 802.1X authenticator, the so-called NAS also acts as a RADIUS Client. It encapsulates the replies of the client
into the RADIUS-format packets and forwards the packets to the RADIUS server. After receiving the information from the
RADIUS server, it interprets the information and forwards it to the client.
The authenticator has two types of ports: controlled port and uncontrolled port. Users connected to controlled ports can
access network resources only when authenticated. Users connected to uncontrolled ports can directly access network
resources without authentication. We can connect users to controlled ports to control users. Uncontrolled ports are mainly
used to connect the authentication server to ensure proper communication between the authentication server and the NAS.
Authentication server
The authenticator server is usually an RADIUS server. It cooperates with the authenticator to provide authentication service
for users. The authentication server saves the user names, passwords, and related authorization information. One server
can provides authentication service for multiple authenticators to achieve centralized user management. The authentication
server also manages accounting data received from authenticators. Ruijie RADIUS servers compliant with 802.1X standard
include Microsoft IAS/NPS, Free RADIUS Server, and Cisco ACS.
The supplicant exchanges information with the authenticator through EAPOL while exchanges information with the
authentication server through RADIUS. EAPOL is encapsulated on the MAC layer, with the type number of 0x888E. IEEE
4-6
Configuration Guide Configuring 802.1X
assigned a multicast MAC address 01-80-C2-00-00-03 for EAPOL to exchange packets during initial authentication. Ruijie
Supplicant may also use 01-D0-F8-00-00-03 to for initial authentication packets.
Figure 4-4
802.1X determines whether a user on a port can access the network based on the authentication status of the port. Ruijie
products extend the 802.1X and realizes access control based on users (identify a wired user by the MAC address and VLAN
ID) by default. Ruijie 802.1X can also be enabled in interface configuration mode. For details, see the chapter
"Configuration."
All users on an uncontrolled port can access network resources, while users on a controlled port can access network
resources only after authorized. When a user initiates authentication, its status remains Unauthorized and cannot access the
network yet. After it passes authentication, its status changes to Authorized and can access network resources.
If the user connected to a controlled port does not support 802.1X, it will not respond to the NAS requesting the user name of
the user. That means, the user remains Unauthorized and cannot access network resources.
In the case of 802.1X-enabled user and 802.1X-disabled NAS, if the user does not receive any responses after sending a
specified number of EAPOL-Start packets, it regards the connected port uncontrolled and directly accesses network
resources.
On 802.1X-enabled devices, all ports are uncontrolled by default. We can configure a port as controlled so that all users on
this port have to be authorized.
If a user passes authentication (that is, the NAS receives a success packet from the RADIUS server), the user becomes
Authorized and can freely access network resources. If the user fails in authentication, it remains Unauthorized and
re-initiates authentication. If the communication between the NAS and the RADIUS server fails, the user remains
Unauthorized and cannot access network resources.
When a user sends an EAPOL-LOGOFF packet, the user's status changes from Authorized to Unauthorized.
4-7
Configuration Guide Configuring 802.1X
When a port of the NAS goes down, all users on this port will become Unauthorized.
802.1X authentication uses the RADIUS server as the authentication server. Therefore, when 802.1X secure admission is
deployed, the RADIUS server also needs to be deployed. Common RADIUS servers include Microsoft IAS/NPS, Cisco ACS,
and RG-SAM/SMP. For details about the deployment procedure, see related software description.
To use 802.1X authentication, enable 802.1X authentication on the access port and configure AAA authentication method list
and RADIUS server parameters. To ensure the accessibility between the NAS and RADIUS server, the 802.1X server
timeout should be longer than the RADIUS server timeout.
Supplicant
A user should start Ruijie Supplicant to enter the user name and initiate authentication. If the operating system brings an own
authentication client and the network is available, a dialog box will be displayed, asking the user to enter the user name.
Different clients may have different implementation processes and Graphical User Interfaces (GUIs). It is recommended to
use Ruijie Supplicant as the authentication client. If other software is used, see related software description.
Offline
If a user does not want to access the network, it can choose to go offline by multiple approaches, such as powering off the
device, connecting the port to the network, and offline function provided by some supplicants.
4.3.2 Authorization
After a user passes authentication, the NAS restricts the accessible network resources of the user in multiple approaches,
such as binding the IP address and the MAC address, and specifying the maximum online time or period, accessible VLANs,
and bandwidth limit.
Working Principle
Authorization means to bind the permissions with the users. A user is identified based on the MAC address and VLAN ID, as
mentioned before. Besides MAC-VID binding, some other information such as the IP address and VLAN ID are bound with a
user to implement authorization.
IP Authorization
802.1X does not support IP address identification. Ruijie 802.1X authentication extends 802.1X to support IP-MAC binding,
which is called IP authorization. IP authorization supports four modes:
RADIUS authorization: After successful authentication, the RADIUS server delivers the IP address to the NAS.
DHCP authorization: In such case, an authenticated user will initiate a DHCP request to obtain an IP address, and then bind
the IP address with the MAC address of the client.
4-8
Configuration Guide Configuring 802.1X
Mixed authorization: IP-MAC binding is configured for users in the following sequence: Supplicant authorization -> RADIUS
authorization -> DHCP authorization. That is, the IP address provided by Ruijie Supplicant preferred, then the IP address
provided by the RADIUS server, and finally the IP address provided by DHCP.
ACL Authorization
After user authentication is complete, the authentication server delivers the ACL or ACE to users. The ACL must be
configured on the authentication server before delivery while no extra configuration is required for ACE delivery. ACL
authorization delivers the ACL based on RADIUS attributes such as standard attributes, Ruijie-proprietary attributes, and
Cisco-proprietary attributes. For details, see the software description related to the RADIUS server.
Kickoff
Used with RG-SAM/SMP, Ruijie 802.1X server can kick off online users who will be disconnected with the network. This
function applies to the environment where the maximum online period and real-time accounting check function are
configured.
4.3.3 Accounting
Accounting allows the network operators to audit the network access or fees of accessed users, including the online time and
traffic.
Working Principle
Accounting is enabled on the NAS. The RADIUS server supports RFC2869-based accounting. When a user goes online, the
NAS sends an accounting start packet to the RADIUS server which then starts accounting. When the user goes offline, the
NAS sends an accounting end packet to the RADIUS server which then completes the accounting and generates a network
fee accounting list. Different servers may perform accounting in different ways. Moreover, not all servers support accounting.
Therefore, refer to the usage guide of the authentication server during actual deployment and accounting.
Accounting Start
After a user passes authentication, the accounting-enabled switch sends the RADIUS server an accounting start packet
carrying user accounting attributes such as user name and accounting ID. After receiving the packet, the RADIUS server
starts accounting.
Accounting Update
The NAS periodically sends Accounting Update packets to the RADIUS server, making the accounting more real-time. The
accounting update interval can be provided by the RADIUS server or configured on the NAS.
Accounting End
After a user goes offline, the NAS sends the RADIUS server an accounting end packet carrying the online period and traffic
of the user. The RADIUS server generates online records based on the information carried in this packet.
4-9
Configuration Guide Configuring 802.1X
4.4 Configuration
Ensure that the 802.1X server timeout is longer than the RADIUS server timeout.
4-10
Configuration Guide Configuring 802.1X
Single-user MAB and multi-user MAB cannot be enabled at the same time.
MAB adopts the PAP authentication mode. Ensure correct server configurations during
deployment.
Configuring MAB
dot1x mac-auth-bypass Enables single-user MAB.
dot1x mac-auth-bypass multi-user Enables multi-user MAB.
Configures the quiet period after multi-user
dot1x multi-mab quiet-period
MAB fails.
dot1x mac-auth-bypass timeout-activity Configures the timeout of MAB users.
dot1x mac-auth-bypass violation Enables MAB violation mode.
dot1x mac-auth-bypass vlan Configures VLAN-based MAB.
4-11
Configuration Guide Configuring 802.1X
(Optional) It is used to enable 802.1X packet sending with the pseudo source MAC
address.
(Optional) It is used to configure multiple accounts for the same MAC address.
On a wired network, run the dot1x port-control auto command in interface configuration mode to enable 802.1X
authentication on a port.
Run the radius-server host ip-address command to configure the IP address and port information of the RADIUS
server and the radius-server key command to configure the RADIUS communication key between the NAS and the
RADIUS server to ensure secure communication.
Run the aaa accounting update command in global configuration mode to enable accounting update and the aaa
accounting update interval command on the NAS to configure the accounting update interval. If the RADIUS server
4-12
Configuration Guide Configuring 802.1X
supports accounting update, you can also configure it on the RADIUS server. Prefer to use the parameters assigned by
the authentication server than the parameters configured on the NAS.
Notes
Configure accurate RADIUS parameters so that the basic RADIUS communication is proper.
The 802.1X authentication method list and accounting method list must be configured in AAA. Otherwise, errors may
occur during authentication and accounting.
Due to chipset restriction on switches, if 802.1X is enabled on one port, all ports will send 802.1X packets to the CPU.
If 802.1X is enabled on a port but the number of authenticated users exceeds the maximum number of users configured
for port security, port security cannot be enabled.
If port security and 802.1X are both enabled but the security address has aged, 802.1X users must re-initiate
authentication requests to continue the communication.
Users with IP addresses statically configured or compliant with IP-MAC binding can access the network without
authentication.
802.1X uses the default method list by default. If the default method list is not configured for AAA, run the dot1x
authentication and dot1x accounting commands to reconfigure the it.
When RG-SAM/SMP is used, accounting must be enabled. Otherwise, the RADIUS server will fail to detect users going
offline, causing offline users remaining in the online user table.
Configuration Steps
Enabling AAA
(Mandatory) 802.1X authentication and accounting take effect only after AAA is enabled.
Enable AAA on the NAS that needs to control user access by 802.1X.
Mandatory.
The AAA authentication method list must be consistent with the 802.1X authentication method list.
Enable an AAA authentication method list after 802.1X authentication is enabled on the NAS.
4-13
Configuration Guide Configuring 802.1X
(Mandatory) The RADIUS server parameters must be configured to ensure proper communication between the NAS
and the RADIUS server.
Configure RADIUS server parameters after 802.1X authentication is enabled on the NAS.
Configuring the Preshared Key for Communication between the NAS and RADIUS Server
(Mandatory) The preshared key for communication between the NAS and RADIUS server must be configured to ensure
proper communication between the NAS and the RADIUS server.
Configure the preshared key of the RADIUS server after 802.1X authentication is enabled on the NAS.
4-14
Configuration Guide Configuring 802.1X
Verification
Start Ruijie Supplicant, enter the correct account information, and initiate authentication. Then check whether the 802.1X and
RADIUS configurations are correct.
4-15
Configuration Guide Configuring 802.1X
Check whether the RADIUS server responds to authentication based on the RADIUS packets between the NAS and the
RADIUS server. If no, it means that the network is disconnected or parameter configurations are incorrect. If the
RADIUS server directly returns a rejection reply, check the log file on the RADIUS server to identify the cause, e.g., of
the authentication mode of the authentication server is incorrectly configured.
Configuration Example
Scenario
Figure 4-5
Configuration Register the IP address of the switch on the RADIUS server and configure the communication
Steps key between the switch and the RADIUS server.
Create an account on the RADIUS server.
Enable AAA on the switch.
Configure RADIUS parameters on the switch.
Enable 802.1X authentication on ports of the switch.
Switch configurations are as follows. For detailed configuration on the RADIUS server, see the
Configuring RADIUS.
ruijie# configure terminal
ruijie (config)# aaa new-model
ruijie (config)# radius-server host 192.168.32.120
ruijie (config)# radius-server key ruijie
ruijie (config)# interface FastEthernet 0/1
ruijie (config-if)# dot1x port-control auto
Verification Check whether authentication is proper and network access behaviors change after authentication.
The account is successfully created, such as username:tests-user,password:test.
The user fails to ping 192.168.32.120 before authentication.
After the user enters account information and click Authenticate on Ruijie Supplicant, the
authentication succeeds and the user can successfully ping 192.168.32.120.
Information of the authenticated user is displayed.
ruijie# show dot1x summary
4-16
Configuration Guide Configuring 802.1X
Common Errors
The RADIUS server has a special access policy, for example, the RADIUS packets must carry certain attributes.
The AAA authentication mode list is different from the 802.1X authentication mode list, causing authentication failure.
Adjust 802.1X parameter configurations based on the actual network situation. For example, if the authentication server
has poor performance, you can raise the authentication server timeout.
Notes
802.1X and RADIUS have separate server timeouts. By default, the authentication server timeout of 802.1X is 5
seconds while that of RADIUS is 15 seconds. In actual situations, ensure that the former is greater than the latter. You
can run the dot1x timeout server-timeout command to adjust the authentication server timeout of 802.1X. For
detailed configuration about the RADIUS server timeout, see the Configuring RADIUS.
Configuration Steps
Enabling Re-authentication
(Optional) After re-authentication is enabled, the NAS can periodically re-authenticate online users.
4-17
Configuration Guide Configuring 802.1X
Configure the re-authentication interval after 802.1X authentication is enabled on the NAS. The re-authentication
interval takes effect only after re-authentication is enabled.
Configure the interval of EAP-Request/Identity packet retransmission after 802.1X authentication is enabled on the
NAS.
Configure the maximum times of EAP-Request/Identity packet retransmission after 802.1X authentication is enabled on
the NAS.
4-18
Configuration Guide Configuring 802.1X
Configure the interval of EAP-Request/Challenge packet retransmission after 802.1X authentication is enabled on the
NAS.
Configure the maximum times of EAP-Request/Challenge packet retransmission after 802.1X authentication is enabled
on the NAS.
Configure the authentication server timeout after 802.1X authentication is enabled on the NAS.
4-19
Configuration Guide Configuring 802.1X
Configure the quiet period after 802.1X authentication is enabled on the NAS.
Configure the authentication mode after 802.1X authentication is enabled on the NAS.
(Optional) If online Ruijie client detection is enabled, the NAS can find clients going offline in a timely manner to prevent
incorrect accounting.
Enable online Ruijie client detection after 802.1X authentication is enabled on the NAS.
4-20
Configuration Guide Configuring 802.1X
(Optional) A larger value indicates a longer time interval at which Ruijie clients send detection packets.
Configure the interval of online Ruijie client detection after 802.1X authentication is enabled on the NAS.
(Optional) A larger value indicates a longer interval at which the NAS finds clients going offline.
Configure the duration of online Ruijie client detection after 802.1X authentication is enabled on the NAS.
Verification
Run the show dot1x command to check whether parameter configurations take effect.
Configuration Example
4-21
Configuration Guide Configuring 802.1X
Scenario
Figure 4-6
4-22
Configuration Guide Configuring 802.1X
Common Errors
Online client detection is enabled but the authentication program is not Ruijie Supplicant.
In IP authorization, authenticated users have to use the specified IP addresses to access the network, preventing IP
address fake. IP authorization can be enabled in global configuration mode or interface configuration mode. IP
authorization enabled in interface configuration mode takes priority over that configured in global configuration mode.
Enable non-Ruijie client filtering. If this function is enabled, users must use Ruijie Supplicant for authentication so that
they will enjoy services provided by Ruijie Supplicant, such as anti-proxy or SMS.
Enable Web redirection to support 2G Ruijie Supplicant deployment. 2G Ruijie Supplicant deployment means that a
user needs to download Ruijie Supplicant through the browser and then initiate authentication through Ruijie Supplicant.
2G Ruijie Supplicant deployment facilitates quick deployment of Ruijie Supplicant in the case of massive users.
Notes
If the real-time kickoff function of RG-SAM/SMP is used, you need to configure correct SNMP parameters. For details,
see the Configuring SNMP.
If the IP authorization mode is changed, all authenticated users will go offline and have to get re-authenticated before
online again.
4-23
Configuration Guide Configuring 802.1X
In mixed authorization mode, IP authorization with a higher priority is used during user authentication. For example, if
Ruijie Supplicant provides an IP address for this RADIUS-authentication user during its re-authentication, this IP
address will be used for authorization.
2G Ruijie Supplicant deployment and Web authentication cannot be used at the same time.
2G Ruijie Supplicant deployment requires the setting of the redirect parameter. For details, see the Configuring Web
Authentication.
The kickoff function of RG-SAM/SMP is implemented through SNMP. Therefore, you need to configure SNMP
parameters. For details, see the Configuring SNMP.
Configuration Steps
In radius-server mode, the authentication server needs to assign IP addresses based on the framed-ip parameters.
Configure the IP authorization mode after 802.1X authentication is enabled on the NAS.
(Optional) If the redirection for 2G Ruijie Supplicant deployment is enabled, users not having any 802.1X authentication
clients on a controlled port can download and install an 802.1X authentication client through Web pages.
Enable Web redirection for 2G Ruijie Supplicant deployment after 802.1X authentication is enabled on the NAS.
The redirect parameter must be configured. For details, see the Configuring Web Authentication.
4-24
Configuration Guide Configuring 802.1X
Enable non-Ruijie client filtering after 802.1X authentication is enabled on the NAS.
Verification
After IP authorization is enabled, use the client to initiate authentication and go online, and then change the IP address.
As a result, the client cannot access the network.
Enable Web redirection for 2G Ruijie Supplicant deployment. When you start the browser to visit a website, the system
automatically redirects to the download Web page and downloads the authentication client. You can access the
network only when authenticated by the client.
After a user is authenticated and goes online, enable the kickoff function on RG-SAM/SMP. The NAS will force the user
offline and the user will fail to access the network.
Configuration Example
Scenario
Figure 4-7
4-25
Configuration Guide Configuring 802.1X
Common Errors
There are multiple authentication clients on the network but non-Ruijie client filtering is enabled, causing some users to
fail authentication.
RG-SAM/SMP is used but SNMP parameters are not configured on the switch, causing kickoff failure.
The redirect parameter is incorrectly configured, causing abnormalities in redirection for 2G Ruijie Supplicant
downloading.
4-26
Configuration Guide Configuring 802.1X
If the MAC address of an access user is used as the authentication account, the user does not need to install any
supplicants. This applies to some dumb users such as networking printers.
Multi-user MAB applies to the scenario where multiple dumb users connected to a port. For example, multiple VoIP
devices are deployed in the network call center.
Multi-user MAB can be used with 802.1X authentication. It applies to mixed access scenarios such as the PC-VoIP
daisy-chain topology.
Notes
A MAB-enabled port sends an authentication request packet as scheduled by tx-period. If the number of the sent
packets exceeds the number specified by reauth-max but still no client responds, this port enters the MAB mode. Ports
in MAB mode can learn the MAC addresses and use them as the account information for authentication.
When using the MAC address as the user name and password on the authentication server, delete all delimiters. For
example, if the MAC address of a user is 00-d0-f8-00-01-02, the user name and password should be set to
00d0f8000102 on the authentication server.
802.1X takes priority over MAB. Therefore, if a user having passed MBA authentication uses a client to initiate 802.1X
authentication, MAB entries will be removed.
MAB supports only PAP authentication. PAP authentication should be enabled also on the authentication server.
Only when active authentication is enabled, can MAB detect whether the user can perform 802.1X authentication.
Therefore, automatic authentication must be enabled for MAB deployment.
Configuration Steps
Optional.
Single-user MAB applies when only one user connected to a port needs to be authenticated.
4-27
Configuration Guide Configuring 802.1X
Mode
Usage Guide This command applies only to switches. Single-user MAB applies when only one dumb user connected to a
port needs to be authenticated. If you want to restrict the number of users, enable the violation mode.
Optional.
After a MAC address in MAB mode is authenticated and goes online, the NAS regards the MAC address online unless
re-authentication fails, the port goes down, or the MAC address goes offline due to management policies such as
kickoff. You can configure the timeout of authenticated MAC addresses. The default value is 0, indicating always online.
Configure the timeout of MAB users on the 802.1X controlled port of the NAS.
Optional.
By default, after one MAC address passes MAB authentication, data of all switches connected to the port can be
forwarded. However, for security purposes, the administrator may request one MAB port to support only one MAC
address. In this case, you can enable MAB violation on the port. If more than one MAC address is found connected to a
MAB violation-enabled port after the port enters MAB mode, the port will become a violation.
Optional.
4-28
Configuration Guide Configuring 802.1X
Optional.
Configure the quite period of the multi-user MAB failure after multi-user MAB is enabled on the NAS.
If multi-user MAB is enabled, you should prohibit unauthorized users from frequently initiating authentication to protect
the NAS from attacks of these users and thereby reduce the load of the authentication server. Configure the quite
period of the multi-user MAB failure in global configuration mode. That is, if a MAC address fails authentication, it needs
to re-initiate authentication after the quiet period. Configure this quiet period based on the actual situation. The default
value is 0, indicating that a user can re-initiate authentication immediately after authentication fails.
Optional.
If you configure VLANs as MAB VLANs, only users in these VLANs can perform MAB.
4-29
Configuration Guide Configuring 802.1X
Verification
Check whether the dumb user can access the network. If yes, MAB takes effect. If no, MAB does not take effect.
Check whether MAB functions are configured on the authentication server and NAS.
Check whether dumb users with illegitimate MAC addresses cannot access the network.
Check whether dumb users with illegitimate MAC addresses can access the network.
Configuration Example
Scenario
Figure 4-8
Configuration Register the IP address of the Switch A on the RADIUS server and configure the communication
Steps key between Switch A and the RADIUS server.
Create an account on the RADIUS server.
Enable AAA on Switch A.
Configure RADIUS parameters on Switch A.
Enable 802.1X and multi-user MAB on a port of Switch A.
Switch configurations are as follows. For detailed configuration on the RADIUS server, see the
Configuring RADIUS.
ruijie# configure terminal
ruijie (config)# aaa new-model
ruijie (config)# radius-server host 192.168.32.120
ruijie (config)# radius-server key ruijie
ruijie (config)# interface FastEthernet 0/1
ruijie (config-if)# dot1x port-control auto
ruijie (config-if)# dot1x mac-auth-bypass multi-user
Verification Check whether authentication is proper and network access behaviors change after authentication.
The account is successfully created, such as username: 0023aeaa4286,password:
0023aeaa4286.
The user fails to ping 192.168.32.120 before authentication.
The user connects to the switch, the authentication succeeds, and the user can successfully
ping 192.168.32.120.
4-30
Configuration Guide Configuring 802.1X
When a STA accesses the network for the first time, Web authentication is performed. When the STA is disconnected
from and then reconnects to the network, authentication is not required.
Notes
Wireless MAB authentication is triggered by a STA advertisement. If a STA is already online, MAB authentication will
not be triggered again. MAB authentication is triggered only after the STA is disconnected from and then reconnects to
the network.
When a STA accesses the network for the second time, a dialog box may be displayed for MAB authentication. When
the STA accesses the network for the third time, the dialog box will not be displayed.
If MAB authentication fails, a dialog box is displayed for Web authentication when the STA accesses the network next
time.
Configuration Steps
For details about Web authentication configuration, see the Web authentication configuration document. For details about
MAB authentication configuration, see section “Configuring MAB”.
Configuration Example
Scenario
Figure 4-9
NAS
4-31
Configuration Guide Configuring 802.1X
Configuration Register the IP address of the NAS on the RADIUS server and configure the communication key
Steps between the NAS and the RADIUS server.
Create an account on the RADIUS server and bind it with a MAC address for imperceptible
authentication.
Enable AAA on the NAS.
Configure RADIUS parameters on the NAS.
Enable 802.1X authentication and MAB authentication on an interface of the NAS.
Enable second-generation (or first-generation/embedded) Web authentication on an interface of
the NAS and configure the Web authentication template globally.
The following describes the NAS configurations. For detailed configuration on the RADIUS server,
see the related configuration guide (The following describes configuration on the switch, which is
similar to that on the AC/AP, except that the configuration on the switch is performed in interface
configuration mode instead of WLAN RSNA configuration mode.)
ruijie#configure terminal
ruijie (config)#aaa new-model
ruijie (config)#aaa authentication web-auth default group radius
ruijie (config)#aaa authentication dot1x default group radius
ruijie (config)aaa accounting net-work default start-stop group radius
ruijie (config)#radius-server host 192.168.32.120
ruijie (config)#radius-server key ruijie
ruijie (config)#web-auth template eportalv2
ruijie (config-tmplt-v2)#ip 192.158.32.9
ruijie (config-tmplt-v2)#url http://192.168.32.9:8080/eportal/index.jsp
ruijie (config-tmplt-v2)#exit
ruijie (config)#interface FastEthernet 0/1
ruijie (config-if)#dot1x port-control auto
ruijie (config-if)#dot1x mac-auth-bypass multi-user
ruijie (config-if)#web-auth enable eportalv2
Verification Check whether authentication is normal and network access behaviors change after authentication.
The account is successfully created, for example, the username is 0023aeaa4286 and the
password is 0023aeaa4286.
The STA fails to ping 192.168.32.120 before authentication.
The STA connects to the NAS, a page indicating the authentication succeeds is displayed, and
the STA can successfully ping 192.168.32.120.
The STA is disconnected from and then reconnects to the network and can successfully ping
192.168.32.120.
ruijie#show dot1x summary
ID Username MAC Interface VLAN Auth-State
Backend-State Port-Status User-Type Time
--------- ---------- -------------- --------- ---- ---------------
4-32
Configuration Guide Configuring 802.1X
Common Errors
Enable IAB. After IAB is enabled, newly authenticated users can access the network even when all RADIUS servers
configured on the NAS are inaccessible.
Enable IAB recovery. When RADIUS servers recover to their reachable status, re-verify the users authorized during
inaccessibility.
Configure IAB VLANs. When RADIUS servers are inaccessible and cannot authenticate users temporarily, you can add
the ports connected with users to specified VLANs so that users can access only network resources of specified
VLANs.
Notes
Configure an account and standards for testing RADIUS server accessibility. For details, see the Configuring RADIUS.
IAB takes effect only when only RADIUS authentication exists in the globally configured 802.1X authentication mode list
and all RADIUS servers in the list are inaccessible. If other authentication modes (for example, local and none) exist in
the list, IAB does not take effect.
After multi-domain AAA is enabled, 802.1X authentication does not need the globally configured authentication mode
list any more. If IAB detects that all RADIUS servers configured in the globally configured 802.1X authentication mode
list are inaccessible, it directly returns an authentication success reply to users, with no need to enter the user name.
Therefore, multi-domain AAA does not take effect on this port.
Users authenticated in IAB mode do not need to initiate accounting requests to the accounting server.
Authenticated users can properly access the network, not affected by server inaccessibility.
In access authentication configuration mode, when 802.1X-based IP authotication is enabled globally, users on this port,
except those habing been authenticated, cannot be authenticated in IAB mode. In gateway authentication mode, users
are IP authorized if their IP addresses are obtained.
Complete 802.1X authentication is required on such 802.1X authentication clients as those of Windows. It is possible
that though these clients already pass the IAB authentication, there are prompts on the clients suggesting failed
authentication.
If the failed VLAN configured does not exist, a failed VLAN will be dynamically created when a port enters the failed
VLAN and automatically removed when the port exits the failed VLAN.
Failed VLANs cannot be private VLANs, remote VLANs, and super VLANs (including sub VLANs).
4-33
Configuration Guide Configuring 802.1X
Configuration Steps
Enabling IAB
(Optional) After IAB is enabled, the NAS authorizes newly authenticated users if the authentication server is faulty.
(Optional) After the authentication server is recovered, the NAS re-authenticates users that are authorized when the
authentication server is inaccessible.
Enable IAB recovery actions after 802.1X authentication is enabled on the NAS.
Verification
When the authentication server is accessible, check whether users can go online only by using the correct user name
and password.
When the authentication server is inaccessible, check whether new users can be authorized to access the network
immediately after connecting to the NAS.
Configuration Example
Enabling IAB
4-34
Configuration Guide Configuring 802.1X
Scenario
Figure 4-10
Configuration Register the IP address of the NAS on the RADIUS server and configure the communication key
Steps between the NAS and the RADIUS server.
Create an account on the RADIUS server.
Enable AAA on the NAS.
Configure RADIUS parameters and enable server accessibility probe on the NAS.
Enable 802.1X and multi-user MAB on a port of the NAS.
NAS configurations are as follows. For detailed configuration on the RADIUS server, see the
Configuring RADIUS.
ruijie# configure terminal
ruijie (config)# aaa new-model
ruijie (config)# radius-server host 192.168.32.120
ruijie (config)# radius-server key ruijie
ruijie (config)# interface FastEthernet 0/1
ruijie (config-if)# dot1x port-control auto
Verification Check whether authentication is proper and network access behaviors change after authentication.
The account is successfully created, such as username: test,password: test.
When the authentication server is accessible, the user fails to ping 192.168.32.120 before
authentication.
When the authentication server becomes inaccessible, the user connects to the NAS,
authentication succeeds, and the user can successfully ping 192.168.32.120.
Information of the authenticated user is displayed.
ruijie# show dot1x summary
ID Username MAC Interface VLAN Auth-State Backend-State
Port-Status User-Type Time
--------- ---------- -------------- --------- ---- --------------- -------------
----------- --------- ------------------
16778217 test 0023.aeaa.4286 Fa0/1 2 Authenticated Idle Authed
static 0days 0h10m20s
4-35
Configuration Guide Configuring 802.1X
Some users use authentication clients embedded in the operating system. These clients may not initiate authentication
immediately after the users access the network, affecting user experience on network access. Enable active
authentication to so that such users can initiate authentication immediately after accessing the network.
Active authentication means that the NAS sends a request/id packet to trigger Ruijie Supplicant to perform 802.1
authentication. Therefore, you can use this function to detect whether Ruijie Supplicant is used. For example, this
function is required for MAB deployment.
Configure the authenticable host list to specify users that can be authenticated on the port, which restricts physical
access points of users to enhance network security
The multi-account function allows a user to switch its account upon re-authentication. In special scenarios such as
Windows domain authentication, multiple authentications are required to access the domain and the user account
changes during authentication. This function applies to these scenarios.
By default, the NAS uses its own MAC address as the source MAC address of EAP packets during 802.1X
authentication. Some versions of Ruijie supplicants check whether the access switch is a Ruijie switch based on the
MAC address of EAP packets and implement some private features. When performing 802.1X authentication with these
supplicants, you can enable the virtual source MAC address to use related private features.
802.1X allows users to obtain IP addresses before accounting. In this manner, the IP address is carried during user
accounting, meeting service requirements. After a user is authenticated and goes online, the NAS can obtain the IP
address of the user from the supplicant or through DHCP snooping, and then 802.1X server initiates an accounting
request. To avoid the case in which the NAS does not initiate accounting for a long time due to failure to obtain the IP
address of the authentication client, configure the IP detection timeout for this function. If the NAS does not obtain the
IP address of the user within the configured time (5 minutes by default), it forces the user offline.
If 802.1X authentication and MAB are enabled, you can specify the priorities of 802.1X authentication and MAB on the
same port. By default, the one triggered first should be first performed and 802.1X authentication takes priority over
MAB. That is, if the NAS receives an EAPOL packet from a user after the user performs MAB, the original MAB user
goes offline and performs 802.1X authentication. At present, you can configure each user to first perform 802.1X
authentication. If a user performs MAB following the 802.1X authentication failure and MAB takes priority over 802.1X
authentication, the user can ignore 802.1X authentication after passing MAB.When 802.1X authentication is performed
for an H3C inode client on a Ruijie switch, the user name provided by the client for authentication is in an unrecognized
format. As a result, the authentication fails. In addition, the H3C authentication server requires the user name to be in
xx-xx-xx-xx-xx-xx format for MAB authentication, which is different from the default MAB authentication user name
format xxxxxxxxxxxx of Ruijie devices. As a result, the authentication fails.A command needs to be provided to control
the 802.1X authentication user name and MAB authentication user name to be compatible with this scenario.
802.1X authentication can be enabled or disabled globally. If 802.1X authentication is globally disabled, users can
access the internet without authentication while authenticated users are not affected. When 802.1 authentication is
globally enabled, users have to pass authentication to access the internet.
Notes
4-36
Configuration Guide Configuring 802.1X
The multi-account function must be disabled if accounting is enabled. Otherwise, accounting may be inaccurate.
MAB requires active authentication. Therefore, active authentication must be enabled if MAB is enabled.
Configuration Steps
(Optional) If active authentication is enabled, the controlled port sends an authentication request actively after
configuration. After receiving this request, the authentication client initiates 802.1X authentication.
(Optional) Configure the number of active authentication requests sent by the NAS.
Configure the number of active authentication requests after 802.1X authentication is enabled on the NAS.
Usage Guide If active authentication is enabled, configure this command to restrict the number of active authentication
packets sent by a port and thereby avoid sending excessive packets.
4-37
Configuration Guide Configuring 802.1X
(Optional) Configure the NAS not to send authentication requests actively if there are authenticated users on a
controlled port.
Enable user detection for active authentication after 802.1X authentication is enabled on the NAS.
(Optional) Configure the interval at which the NAS sends an authentication request actively.
Enable the interval of active authentication request after 802.1X authentication is enabled on the NAS.
(Optional) Configure the authenticable client list on a controlled port. Only clients on the list can perform 802.1X
authentication.
Configure the authenticable client list after 802.1X authentication is enabled on the NAS.
4-38
Configuration Guide Configuring 802.1X
Enabling 802.1X Packets Sending with the Pseudo Source MAC Address
(Optional) Configure the dot1x pseudo source-mac command when Ruijie Supplicant fails to identify the NAS as a
Ruijie device based on the MAC address of the NAS.
Configure the pseudo MAC address as the source MAC address for 802.1X authentication after 802.1X authentication
is enabled on the NAS.
(Optional) Run the dot1x multi-account enable command to allow the same MAC address to be used by multiple
accounts.
Enable multi-account authentication with one MAC address after 802.1X authentication is enabled on the NAS.
(Optional) You can restrict the number of online users on a controlled port, including static users and dynamic users.
Configure the maximum number of authenticated users on a port after 802.1X authentication is enabled on the NAS.
4-39
Configuration Guide Configuring 802.1X
(Optional) If IP-triggered accounting is enabled, the NAS sends an accounting request to the authentication server after
obtaining the IP address of the user.
Configure the IP address obtaining timeout after 802.1X authentication is enabled on the NAS.
(Optional) If 802.1X precedence over MAB is enabled, a user first performs 802.1X authentication. If 802.1X
authentication fails, the user initiates MAB and MAB takes priority of 802.1 authentication.
4-40
Configuration Guide Configuring 802.1X
Configuring the Compatibility Function for H3C 802.1X Authentication Clients and Authentication Servers
4.5 Monitoring
Clearing
Description Command
Clears 802.1X user information. no do1x port-control auto
Clears 802.1X user information. clear dot1x user
Restores the default 802.1X dot1x default
configuration.
4-41
Configuration Guide Configuring 802.1X
Notes
Description Command
Restore the default value of status dot1x timeout quiet-period
machine timeout duration. dot1x timeout server-timeout
dot1x timeout supp-timeout
dot1x timeout tx-period
Restore default values of dot1x re-authentication
configurations related to dot1x timeout re-authperiod
re-authentication. dot1x reauth-max
Restore default values of dot1x auto-req
configurations related to proactive dot1x auto-req user-detect
requests. dot1x auto-req req-interval
dot1x auto-req packet-num
Restores the default value of the dot1x mac-req
number of retransmission times.
Restores the default value of the dot1x auth-mode
authentication mode.
Restore the default values of dot1x client-probe enable
configurations related to client dot1x probe-timer alive
probing. dot1x probe-timer interval
Restores the default value of the dot1x private-supplicant-only
function of supporting only the private
client.
Restores the default value of the dot1x pseudo source-mac
pseudo source MAC address
function.
Restores the default value of the dot1x auth-fail max-attempt
number of VLAN redirection times
upon authentication failures.
Restores the default value of the dot1x multiaccount enable
function of one MAC address for
multiple accounts.
Restores the default value of the dot1x redirect
dot1x redirection function.
Restores the default value of the dot1x multi-mab quiet-period
silent timeout duration.
Restore the default values of dot1x valid-ip-acct enable
functions related to accounting after dot1x valid-ip-acct timeout
obtaining the IP address.
4-42
Configuration Guide Configuring 802.1X
Displaying
Description Command
Displays the parameters and status show radius server
of the RADIUS server.
Displays 802.1X status and show dot1x
parameters.
Displays the authenticable host list. show dot1x auth-address-table
Displays the active authentication show dot1x auto-req
status.
Displays the port control status. show dot1x port-control
Displays the status and parameters show dot1x probe-timer
of host probe.
Displays of the information of show dot1x summary
authenticated users.
Displays the maximum times of show dot1x max-req
EAP-Request/Challenge packet
retransmission.
Displays the information of controlled show dot1x port-control
ports.
Displays the non-Ruijie client filtering show dot1x private-supplicant-only
information.
Displays the re-authentication status. show dot1x re-authentication
Displays the maximum times of show dot1x reauth-max
EAP-Request/Identity packet
retransmission.
Displays the quiet period after show dot1x timeout quiet-period
authentication fails.
Displays the re-authentication show dot1x timeout re-authperiod
interval.
Displays the authentication server show dot1x timeout server-timeout
timeout.
Displays the supplicant timeout. show dot1x timeout supptimeout
Displays the interval of show dot1x timeout tx-period
EAP-Request/Identity packet
retransmission.
Displays user information based on show dot1x user id
the user ID.
Displays user information based on show dot1x user mac
the MAC address.
4-43
Configuration Guide Configuring 802.1X
Debugging
System resources are occupied when debugging information is output. Therefore, disable the debugging switch
immediately after use.
Description Command
Debugs AAA. (For details, see the debug aaa
Configuring AAA.)
Debugs RADIUS. (For details, see debug radius
the Configuring RADIUS.)
Debugs 802.1X events. debug dot1x event
Debugs 802.1X packets. debug dot1x packet
Debugs 802.1X state machine debug dot1x stm
(STM).
Debugs 802.1X internal debug dot1x com
communication.
Debugs 802.1X errors. debug dot1x error
4-44
Configuration Guide Configuring SCC
5 Configuring SCC
5.1 Overview
The Security Control Center (SCC) provides common configuration methods and policy integration for various access control
and network security services, so that these access control and network security services can coexist on one device to meet
diversified access and security control requirements in various scenarios.
Typical access control services are dot1x, Web authentication, Address Resolution Protocol (ARP) check, and IP Source
Guard. The network security services include Access Control List (ACL), Network Foundation Protection Policy (NFPP), and
anti-ARP gateway spoofing. When two or more access control or network security services are simultaneously enabled on
the device, or when both access control and network security services are simultaneously enabled on the device, the SCC
coordinates the coexistence of these services according to relevant policies.
For details about the access control and network security services, see the related configuration guide. This document
describes the SCC only.
N/A
5.2 Application
Students on a campus network of a university usually need to be authenticated through the dot1x client or Web before
accessing the Internet, so as to facilitate accounting and guarantee the benefits of the university.
The students can access the Internet through dot1x client authentication or Web authentication.
ARP spoofing between the students is prevented, so as to guarantee the stability of the network.
Terminal devices in some departments (such as the headmaster's office) can access the Internet without
authentication.
5-1
Configuration Guide Configuring SCC
Figure 5-1
Remarks A traditional campus network is hierarchically designed, which consists of an access layer, a convergence layer
and a core layer, where the access layer performs user access control. On an extended Layer 2 campus network,
however, user access control is performed by a core switch, below which access switches exist without involving
any convergence device in between. The ports between the core switch and the access switches (such as
switches B, C, and D in Figure 5-1) are all trunk ports.
The user access switches B, C, and D connect to PCs in various departments via access ports, and VLANs
correspond to sub VLANs configured on the downlink ports of the core switch, so that access users are in
different VLANs to prevent ARP spoofing.
The core switch A connects to various servers, such as the authentication server and the DHCP server. Super
VLANs and sub VLANs are configured on the downlink ports. One super VLAN correspond to multiple sub
VLANs, and each sub VLAN represents an access user.
Deployment
On the core switch, different access users are identified by VLAN and port numbers. Each access user (or a group of
access users) corresponds to one VLAN. The ports on each access switch that connect to downstream users are
configured as access ports, and one user VLAN is assigned to each access user according to VLAN planning. The core
switch does not forward ARP requests. The core switch replies to the ARP requests from authenticated users only, so
as to prevent ARP spoofing. On the core switch A, user VLANs are regarded as sub VLANs, super VLANs are
configured, and SVIs corresponding to the super VLANs are configured as user gateways.
5-2
Configuration Guide Configuring SCC
On the downlink ports of the core switch (switch A in this example) that connect to the teachers' living area and the
students' living area, both dot1x authentication and Web authentication are enabled, so that users can freely select
either authentication mode for Internet access.
Any special department (such as the headmaster's office in this example) can be allocated to a particular VLAN, and
this VLAN can be configured as an authentication-exemption VLAN so that users in this department can access the
Internet without authentication.
Authentication-Exemptio
n VLAN
Some special departments may be allocated to authentication-exemption VLANs to simplify network management, so that
users in these departments can access network resources without authentication. For example, the headmaster's office can
be divided into the authentication-exemption VLANs on the campus network, so that users in the headmaster's office can
access the Internet without authentication.
The number of IPv4 access users can be restricted to protect the access stability of online users on the Internet and improve
the operational stability of the device.
The number of IPv4 access users is not restricted by default; that is, a large number of users can get online after being
authenticated, till reaching the maximum hardware capacity of the device.
IPv4 access users include IP users (such as IP authenticated users) based on dot1x authentication, users based on
Web authentication, and IP users manually bound (using IP source guard, ARP check, or other means).
Authenticated-User
Migration
Online-user migration means that an online user can get authenticated again from different physical locations to access the
network. On the campus network, however, for ease of management, students are usually requested to get authenticated
from a specified location before accessing the Internet, but cannot get authenticated on other access ports. This means that
the users cannot migrate. In another case, some users have the mobile office requirement and can get authenticated from
different access locations. Then the users can migrate.
User Online-Status
Detection
For a chargeable user, accounting starts immediately after the user passes the authentication and gets online. The
accounting process does not end until the user actively gets offline. Some users, however, forget to get offline when leaving
their PCs, or cannot get offline because of terminal problems. Then the users suffer certain economical losses as the
accounting process continues. To more precisely determine whether a user is really online, we can preset a traffic value, so
5-3
Configuration Guide Configuring SCC
that the user is considered as not accessing the Internet and therefore directly brought offline when the user's traffic is lower
than the preset value in a period of time or there is not traffic of the user at all in a period of time.
Features
Feature Function
Authentication-Exem Users in a specified VLAN can be configured as authentication-exemption users.
ption VLAN
IPv4 User Capacity The IPv4 user capacity of a specified interface can be restricted to guarantee the access stability of
users on the Internet.
Authenticated-User You can specify whether the authenticated can migrate.
Migration
User Online-Status You can specify whether to detect the traffic of online users, so that a user is forced offline when the
Detection traffic of the user is lower than a preset value in a period of time.
Working Principle
Suppose the authentication-exemption VLAN feature is enabled on a device. When the device detects that a packet comes
from an authentication-exemption VLAN, access control is not performed. In this way, users in the authentication-exemption
VLAN can access the Internet without authentication. The authentication-exemption VLAN feature can be regarded as a kind
of applications of secure channels.
The authentication-exemption VLANs occupy hardware entries. When access control such as authentication is disabled,
configuring authentication-exemption VLANs has the same effect as the case where no authentication-exemption
VLANs are configured. Therefore, it is recommended that authentication-exemption VLANs be configured for users who
need to access the Internet without authentication, only when the access control function has been enabled.
Although packets from authentication-exemption VLANs are exempt from access control, they still need to be checked
by a security ACL. If the packets of the users in an authentication-exemption VLAN are denied according to the security
ACL, the users still cannot access the Internet.
In gateway authentication mode, the device does not initiate any ARP request to a user in an authentication-exemption
VLAN, and the ARP proxy will not work. Therefore, in gateway authentication mode, users in different
authentication-exemption VLANs cannot access each other unless the users have been authenticated.
5-4
Configuration Guide Configuring SCC
Working Principle
If the total number of IPv4 access users is restricted, new users going beyond the total number cannot access the Internet.
Only the switches support the restriction on the number of IPv4 access users.
The number of IPv4 access users is not restricted on the device by default, but depends on the hardware capacity of the
device.
The number of IPv4 access users includes the IPv4 authenticated users based on dot1x authentication, IPv4 users
based on Web authentication, and IPv4 users based on various binding functions. Because the number of IPv4 access
users is configured in interface configuration mode, the restriction includes both the number of IPv4 users generated on
the port and IPv4 users globally generated. For example, you can set the maximum number of IPv4 access users on
the Gi 0/1 port to 2, run commands to bind an IPv4 user to the port, and then run commands to bind a global IPv4 user
to the port. Actually there are already two access users on the port. If you attempt to bind another IPv4 user or another
global IPv4 user to the port, the binding operation fails.
Working Principle
When authenticated-user migration is enabled, the dot1x or Web authentication module of the device detects that the port
number or VLAN corresponding to a user's MAC address has changed. Then the user is forced offline and needs to be
authenticated again before getting online.
Only the switches or wireless devices support authenticated-user migration. In addition, cross-switch migration is not
supported. For example, authentication and migration are enabled on two N18000, and a user gets online after being
authenticated on one of the two N18000. If the user attempts to migrate to the other N18000, the migration fails.
The authenticated-user migration function requires a check of users' MAC addresses, and is invalid for users who have
IP addresses only.
The authenticated-user migration function enables a user who gets online at one place to get online at another place
without getting offline first. If the user gets online at one place and then gets offline at that place, or if the user does not
get online before moving to another place, the situation is beyond the control range of authenticated-user migration.
During migration, the system checks whether the VLAN ID or port number that corresponds to a user's MAC address
has changed, so as to determine whether the user has migrated. If the VLAN ID or port number is the same, it indicates
that the user does not migrate; otherwise, it indicates that the user has migrated. According to the preceding principle, if
another user on the network uses the MAC address of an online user, the system will wrongly disconnect the online
user unless extra judgment is made. To prevent such a problem, the dot1x or Web authentication will check whether a
user has actually migrated. For a user who gets online through Web authentication or dot1x authentication with IP
5-5
Configuration Guide Configuring SCC
authorization, the dot1x or Web authentication sends an ARP request to the original place of the user if detecting that
the same MAC address is online in another VLAN or on another port. If no response is received within the specified time,
it indicates that the user's location has indeed changed and then the migration is allowed. If a response is received
within the specified time, it indicates that the user actually does not migrate and a fraudulent user may exist on the
network. In the latter case, the migration is not performed. The ARP request is sent once every second by default, and
sent for a total of five times. This means that the migration cannot be confirmed until five seconds later. Timeout-related
parameters, including the probe interval and probe times, can be changed using the arp retry times times and arp retry
interval interval commands. For details about the specific configuration, see ARP-SCG.doc. It should be noted that the
migration check requires the configuration of IP authorization for users based on dot1x authentication. In addition, the
ARP probe is triggered only for user migration in gateway authentication mode but not triggered for user migration in
access authentication mode.
Working Principle
A specific detection interval is preset on the device. If a user's traffic is lower than a certain value in this interval, the device
considers that the user is not using the network and therefore directly disconnects the user.
Only the switches devices support the user online-status detection function.
The user online-status detection function applies to only users who get online through dot1x or Web authentication.
Currently, due to hardware chip restrictions of the N18000, the time to disconnect a user without any traffic relates to
the configured MAC address aging time. If the traffic detection interval is set to m minutes and the MAC address aging
time is set to n minutes, the interval from the moment when an authenticated user leaves the network without actively
getting offline to the moment when the user is disconnected upon detection of zero traffic is about [m, m+n] minutes. In
other words, if an online user does not incur any Internet access traffic, the user is disconnected about [m, m+n]
minutes later.
5-6
Configuration Guide Configuring SCC
5.4 Configuration
Optional configuration, which is used to specify the users of which VLANs can access
Configuring
the Internet without authentication.
Authentication-Exemption
VLANs Configures authentication-exemption
[no] direct-vlan
VLANs.
Optional configuration, which is used to specify the maximum number of users who are
Configuring the IPv4 User allowed to access a certain interface.
Capacity
Configures the number of IPv4 users who
[no] nac-author-user maximum
are allowed to access a certain interface.
Optional configuration, which is used to specify whether online users with static MAC
Configuring addresses can migrate.
Authenticated-User Migration
Configures whether authenticated users can
[no] station-move permit
migrate.
Optional configuration, which is used to specify whether to enable the user online-status
detection function.
Configuring User
Configures the parameters of the user
Online-Status Detection offline-detect interval threshold
online-status detection function.
Disables the user online-status detection
no offline-detect
function.
Restores the default user online-status
default offline-detect
detection mode.
Configure authentication-exemption VLANs, so that users in these VLANs can access the Internet without experiencing
dot1x or Web authentication.
Configure authentication-exemption VLANs on a port, so that only users in specified VLANs on the port can access the
Internet without experiencing authentication.
Precautions
Authentication-exemption VLANs only mean that users in these VLANs do not need to experience a check related to access
authentication, but still need to experience a check based on a security ACL. If specified users or VLANs are denied
according to the security ACL, corresponding users still cannot access the Internet. Therefore, during ACL configuration, you
5-7
Configuration Guide Configuring SCC
need to ensure that specified VLANs or specified users in the authentication-exemption VLANs are not blocked if you hope
that users in the authentication-exemption VLANs can access the Internet without being authenticated.
Configuration Method
Optional configuration. To spare all users in certain VLANs from dot1x or Web authentication, configure these VLANS
as authentication-exemption VLANs.
Perform this configuration on access, convergence, or core switches depending on user distribution.
Verification
Enable dot1x authentication on downlink ports that connect to user terminals, add the downlink ports that connect to the
user terminals to a specific VLAN, and configure the VLAN as an authentication-exemption VLAN. Then open the
Internet Explorer, and enter a valid extranet address (such as www.google.com). If the users can open the
corresponding webpage on the Internet, it indicates that the authentication-exemption VLAN is valid; otherwise, the
authentication-exemption VLAN does not take effect.
Use the show direct-vlan command to check the authentication-exemption VLAN configuration on the device.
Port direct-vlan
-------- ------------------
5-8
Configuration Guide Configuring SCC
Gi0/1 5,7,100
Configuration Examples
Configuring Authentication-exemption VLANs so that Specific Users Can Access the Internet Without Being Authenticated
Scenario
Figure 5-2
Configuration On switch A (which is the core gateway device), set the GI 2/1 port as a trunk port, and enable dot1x
Steps authentication on this port.
On switch A (which is the core gateway device), configure VLAN 100 to which the headmaster's office
belongs as an authentication-exemption VLAN.
Switch A
SwitchA(config)#vlan 100
SwitchA(config-vlan)#exit
SwitchA(config)#direct-vlan 100
*Oct 17 16:06:45: %DOT1X-6-ENABLE_DOT1X: Able to receive EAPOL packet and DOT1X authentication
enabled.
5-9
Configuration Guide Configuring SCC
Verification Open the Internet Explorer from any PC in the headmaster's office, enter a valid extranet address, and
confirm that the corresponding webpage can be opened.
Use the show direct-vlan command to check whether the authentication-exemption VLAN is valid.
Switch A
SwitchA(config)#show direct-vlan
direct-vlan 100
Configure the IPv4 user capacity, so as to restrict the number of users who are allowed to access an access port.
Precautions
N/A
Configuration Method
Optional configuration. To limit the maximum of users who are allowed to access an access port, configure the IPv4
user capacity. The access user capacity is not limited on an access port by default. Suppose the user capacity limit is
configured on a specific interface. When the number of authenticated users on the interface reaches the maximum, new
users cannot be authenticated on this interface and cannot get online, until existing authenticated users get offline on
the interface.
Perform this configuration on access switches, which may be access switches on the network edge or core gateway
devices.
Verification
Check the IPv4 user capacity configuration on a port using the following method:
5-10
Configuration Guide Configuring SCC
dot1x authentication: When the number of users who get online based on 1x client authentication on the port reaches
the specified user capacity, no any new user can get online from this port.
Web authentication: When the number of users who get online based on Web authentication on the port reaches the
specified user capacity, no any new user can get online from this port.
Use the show nac-author-user [ interface interface-name ] command to check the IPv4 user capacity configured on
the device.
Gi0/1 0 4
Configuration Examples
Restricting the Number of IP4 Users on a Port to Prevent Excessive Access Terminals from Impacting the Network
Scenario
Figure 5-3
Configuration Assume that the dot1x authentication environment has been well configured on the access switch A,
Steps and dot1x authentication is enabled on the Gi 0/2 port.
Set the maximum number of IPv4 access users on the Gi 0/2 port to 4.
Switch A
SwitchA(config)#int GigabitEthernet 0/2
5-11
Configuration Guide Configuring SCC
Verification Perform dot1x authentication for all the four PCs in the dormitory, so that the PCs get online. Then take
an additional terminal to access the network, and attempt to perform dot1x authentication for this
terminal. Verify that the terminal cannot be successfully authenticated to get online.
Use the show nac-author-user command to check whether the configuration has taken effect.
Switch A
SwitchA(config)#show nac-author-user
Gi0/1 0 4
By default, when a user gets online after passing dot1x or Web authentication at a physical location (which is represented by
a specific access port plus the VLAN number) and quickly moves to another physical location without getting offline, the user
cannot get online through dot1x or Web authentication from the new physical location, unless the authenticated-user
migration feature has been configured in advance.
Precautions
If the authenticated-user migration feature is not yet configured, an online user cannot get online from the new physical
location after quickly moving from one physical location to another physical location without getting offline first. However,
if the user gets offline before changing the physical location or gets offline during the location change (for example, the
user online-status detection function disconnects the user), the user can still normally get online after being
authenticated at the new physical location, even if the authenticated-user migration feature is not configured.
After moving to the new physical location, the online user needs to perform dot1x or Web authentication so as to get
online.
Configuration Method
Optional configuration. To allow users to be authenticated and get online from different physical locations, enable the
authenticated-user migration function.
Perform this configuration on access, convergence, or core switches depending on user distribution.
5-12
Configuration Guide Configuring SCC
on the network moves to another physical location and attempts to get online from the new physical location
without getting offline first, the authentication fails and the user cannot get online from the new physical
location.
Command Global configuration mode
Mode
Usage Guide Use this command to configure authenticated-user migration.
Verification
A PC is authenticated and gets online from a dot1x-based port of the device using dot1x SU client, and does not
actively get offline. Move the PC to another port of the device on which dot1x authentication is enabled, and perform
dot1x authentication again. Check whether the PC can successfully get online.
Configuration Examples
Configuring Online-User Migration so that an Online User Can Perform Authentication and Get Online from Different
Ports Without Getting Offline First
Scenario
Figure 5-4
Configuration Enable dot1x authentication on access ports Gi 0/2 and Gi 0/3, and configure authentication
Steps parameters. The authentication is MAC-based.
Configure online-user migration.
Switch A
sw1(config)#station-move permit
5-13
Configuration Guide Configuring SCC
Verification A lap-top PC in the R&D department performs authentication using dot1x SU client, and gets online.
Remove the network cable from the PC, connect the PC to the LAN where the test department resides,
and perform dot1x authentication for the PC again using dot1x SU client. Confirm that the PC can
successfully get online.
Switch A
sw1(config)#show running-config | include station
station-move permit
After the user online-status detection function is enabled, if a user's traffic is lower than a certain threshold within the
specified period of time, the device automatically disconnects the user, so as to avoid the economical loss incurred by
constant charging to the user.
Precautions
It should be noted that if disconnecting zero-traffic users is configured, generally software such as 360 Security Guard will
run on a user terminal by default. Then such software will send packets time and again, and the device will disconnect the
user only when the user's terminal is powered off.
Configuration Method
Optional configuration. A user is disconnected if the user does not involve any traffic within eight hours by default.
Perform this configuration on access, convergence, or core switches depending on user distribution. The configuration
acts on only the configured device instead of other devices on the network.
If the traffic threshold parameter threshold is set to 0, it indicates that zero-traffic detection will be performed.
5-14
Configuration Guide Configuring SCC
Verification
Check the user online-status detection configuration using the following method:
After the user online-status detection function is enabled, power off the specified authenticated terminal after the
corresponding user gets online. Then wait for the specified period of time, and run the online user query command
associated with dot1x or Web authentication on the device to confirm that the user is already offline.
Configuration Examples
Configuring User Online-Status Detection so that a User Is Disconnected if the User Does Not Have Traffic
Within Five Minutes
Scenario
Figure 5-5
Configuration Enable dot1x authentication on the access port Gi 0/2, and configure authentication parameters. The
Steps authentication is MAC-based.
Configure user online-status detection so that a user is disconnected if the user does not have traffic
within five minutes.
5-15
Configuration Guide Configuring SCC
Switch A
sw1(config)# offline-detect interval 5 threshold 0
Verification Perform dot1x authentication using dot1x SU client for a PC in the R&D department, so that the PC
gets online. Then power off the PC, wait for 6 minutes, and run the online user query command
available with dot1x authentication on switch 1 to confirm that the user of the PC is already offline.
Switch A
sw1(config)#show running-config | include offline-detect
offline-detect interval 5
5.5 Monitoring
Displaying
Command Function
show direct-vlan Displays the authentication-exemption VLAN configuration.
Displays information about IPv4 user entries on a specific
show nac-author-user [ interface interface-name ]
interface.
Debugging
System resources are occupied when debugging information is output. Therefore, close the debugging switch
immediately after use.
Command Function
debug scc event Debugs the SCC running process.
debug scc user [ mac | author | mac ] Debugs SCC user entries.
Debugs ACLs stored in the current SCC and delivered by
debug scc acl-show summary
various services.
debug scc acl-show all Debugs all ALCs stored in the current SCC.
5-16
Configuration Guide Configuring Global IP-MAC Binding
6.1 Overview
Enable the global IP-MAC binding function manually to verify the input packets. If a specified IP address is bound with a MAC
address, the device receives only the IP packets containing matched IP address and MAC address. The other packets are
discarded.
The address bounding feature is used to verify the input packets. Note that the address binding feature takes precedence
over the 802.1X authentication, port security, and access control list (ACL).
6.2 Applications
Application Description
Global IP-MAC Binding Only hosts with the specified IP addresses can access the network, and the hosts
connected to a device can move freely.
The administrator assigns a fixed IP address for each host to facilitate management.
Only hosts with the specified IP addresses can access the external network, which prevents IP address embezzlement
by unauthorized hosts.
Figure 6-1
6-1
Configuration Guide Configuring Global IP-MAC Binding
Deployment
Manually configure the global IP-MAC binding. (Take three users as an example.)
Configure the uplink port (Gi0/5 port in this example) of the device as the exclude port.
6.3 Features
Basic Concepts
IPv6 address binding modes include Compatible, Loose, and Strict. The default mode is Strict. If IPv4-MAC binding is not
configured, the IPv6 address binding mode does not take effect, and all IPv4 and IPv6 packets are allowed to pass through. If
IPv4-MAC binding is configured, the IPv6 address binding mode takes effect, and the device forwards IPv4 and IPv6 packets
based on the forwarding rules described in the following table:
Exclude Port
6-2
Configuration Guide Configuring Global IP-MAC Binding
By default, the IP-MAC binding function takes effect on all ports of the device. You can configure exclude ports so that the
address binding function does not take effect on these ports. In practice, the IP-MAC bindings of the input packets on the
uplink port are not fixed. Generally, the uplink port of the device is configured as the exclude port so that the packets on the
uplink port are not checked for IP-MAC binding.
Overview
Feature Description
Configuring Global IP-MAC Control forwarding of IPv4 or IPv6 packets.
Binding
Configuring the IPv6 Change the IPv6 packet forwarding rules.
Address Binding Mode
Configuring the Exclude Port Disable the global address binding function on the specified port.
Enable the global IP-MAC binding function manually to verify the input packets. If a specified IP address is bound with a MAC
address, the device receives only the IP packets containing matched IP address and MAC address. The other packets are
discarded.
Related Configuration
Run the address-bind command in global configuration mode to add or delete an IPv4-MAC binding.
Run the address-bind install command in global configuration mode to enable the IP-MAC binding function. By default, this
function is disabled.
After the global IPv4-MAC binding is configured and enabled, IPv6 packets are forwarded based on the IPv6 address binding
mode. IPv6 binding modes include Compatible, Loose, and Strict.
Related Configuration
Run the address-bind ipv6-mode command to specify an IPv6 address binding mode.
6-3
Configuration Guide Configuring Global IP-MAC Binding
Configure an exclude port so that the address binding function does not take effect on this port.
Related Configuration
Run the address-bind uplink command to configure an exclude port. By default, no port is the exclude port.
6.4 Configuration
Configuring the IPv6 Address (Optional) It is used to configure the IPv6 address binding mode.
Binding Mode
address-bind ipv6-mode Configures the IPv6 address binding mode.
Enable the address binding function to control forwarding of the IPv4 or IPv6 packets.
Notes
If you run the address-bind install command without IP-MAC binding configured, IP-MAC binding does not take effect
and all packets are allowed to pass through.
Configuration Steps
6-4
Configuration Guide Configuring Global IP-MAC Binding
Verification
Run the show run or show address-bind command to check whether the configuration takes effect.
Related Commands
Configuration Example
6-5
Configuration Guide Configuring Global IP-MAC Binding
Ruijie#show address-bind
--------------- ----------------
192.168.5.1 00d0.f800.0001
Change the IPv6 address binding mode so as to change the forwarding rules for IPv6 packets.
Configuration Steps
(Optional) Perform this configuration when you want to change the forwarding rules for IPv6 packets.
Verification
Run the show run command to check whether the configuration takes effect.
Related Commands
6-6
Configuration Guide Configuring Global IP-MAC Binding
Usage
Configuration Example
Verification Run the show run command to display the configuration on the device.
The address binding function is disabled on the exclude port, and all IP packets can be forwarded.
Notes
Configuration Steps
(Optional) Perform this configuration in global configuration mode when you want to disable the address binding
function on a specified port.
Verification
Run the show run or show address-bind uplink command to check whether the configuration takes effect.
Related Commands
6-7
Configuration Guide Configuring Global IP-MAC Binding
Configuration Example
Ruijie#show address-bind
--------------- ----------------
192.168.5.1 00d0.f800.0001
Port State
---------- ---------
Gi0/1 Enabled
Default Disabled
6.5 Monitoring
Displaying
Description Command
Displays the IP-MAC binding on the device. show address-bind
Displays the exclude port. show address-bind uplink
6-8
Configuration Guide Configuring Password Policy
7.1 Overview
The Password Policy is a password security function provided for local authentication of the device. It is configured to control
users' login passwords and login states.
N/A
7.2 Features
Basic Concepts
Administrators can set a minimum length for user passwords according to system security requirements. If the password
input by a user is shorter than the minimum password length, the system does not allow the user to set this password but
displays a prompt, asking the user to specify another password of an appropriate length.
The less complex a password is, the more likely it is to crack the password. For example, a password that is the same as the
corresponding account or a simple password that contains only characters or digits may be easily cracked. For the sake of
security, administrators can enable the strong password detection function to ensure that the passwords set by users are
highly complex. After the strong password detection function is enabled, a prompt will be displayed for the following types of
passwords:
The password life cycle defines the validity time of a user password. When the service time of a password exceeds the life
cycle, the user needs to change the password.
If the user inputs a password that has already expired during login, the system will give a prompt, indicating that the
password has expired and the user needs to reset the password. If the new password input during password resetting does
not meet system requirements or the new passwords consecutively input twice are not the same, the system will ask the user
to input the new password once again.
7-1
Configuration Guide Configuring Password Policy
When changing the password, the user will set a new password while the old password will be recorded as the user's history
records. If the new password input by the user has been used previously, the system gives an error prompt and asks the user
to specify another password.
The maximum number of password history records per user can be configured. When the number of password history
records of a user is greater than the maximum number configured for this user, the new password history record will
overwrite the user's oldest password history record.
Administrators can enable the storage of encrypted passwords for security consideration. When administrators run the show
running-config command to display configuration or run the write command to save configuration files, various user-set
passwords are displayed in the cipher text format. If administrators disable the storage of encrypted passwords next time, the
passwords already in cipher text format will not be restored to plaintext passwords.
7.3 Configuration
Networking
Requirements
Provide a password security policy for local authentication of the device. Users can configure different password
security policies to implement password security management.
Notes
7-2
Configuration Guide Configuring Password Policy
The configured password security policy is valid for global passwords (configured using the commands enable
password and enable secret) and local user passwords (configured using the username name password password
command). It is invalid for passwords in Line mode.
Configuration Steps
Optional
Perform this configuration on each device that requires the configuration of a password life cycle unless otherwise
stated.
Optional
Perform this configuration on each device that requires a limit on the minimum length of user passwords unless
otherwise stated.
Optional
Perform this configuration on each device that requires a limit on the no-repeat times of latest password configuration
unless otherwise stated.
Optional
Perform this configuration on each device that requires strong password detection unless otherwise stated.
Optional
Perform this configuration on each device that requires the storage of passwords in encrypted format unless otherwise
stated.
Verification
Configure a local user on the device, and configure a valid password and an invalid password for the user.
When you configure the valid password, the device correctly adds the password.
When you configure the invalid password, the device displays a corresponding error log.
Related Commands
7-3
Configuration Guide Configuring Password Policy
Parameter life-cycle days: Indicates the password life cycle in the unit of days. The value range is from 1 to 65535.
Description
Command Global configuration mode
Mode
Usage Guide The password life cycle is used to define the validity period of user passwords. If the user logs in with a
password whose service time already exceeds the life cycle, a prompt is given, asking the user to change
the password.
7-4
Configuration Guide Configuring Password Policy
Checking Information Such as the Default Password Dictionary and Weak Passwords Manually Set
Configuration Examples
The following configuration example describes configuration related to a password security policy.
7-5
Configuration Guide Configuring Password Policy
Typical Assume that the following password security requirements arise in a network environment:
Application 6. The minimum length of passwords is 8 characters;
7. The password life cycle is 90 days;
8. Passwords are stored and transmitted in cipher text format;
9. The number of no-repeat times of password history records is 3;
10. Passwords shall not be the same as user names, and shall not contain simple characters or digits only.
Verification When you create a user and the corresponding password after configuring the password security policy, the
system will perform relevant detection according to the password security policy.
Run the show password policy command to display user-configured password security policy
information.
Ruijie# show password policy
Global password policy configurations:
Password encryption: Enabled
Password strong-check: Enabled
Password secret-dictionary-check: Enabled
Password min-size: Enabled (8 characters)
Password life-cycle: Enabled (90 days)
Password no-repeat-times: Enabled (max history record: 3)
Common Errors
The time configured for giving a pre-warning notice about password expiry to the user is greater than the password life
cycle.
7-6
Configuration Guide Configuring Password Policy
7.4 Monitoring
Displaying
Command Function
show password policy Displays user-configured password security policy information.
7-7
Configuration Guide Configuring Port Security
8.1 Overview
Port security is used to restrict access to a port. Source MAC addresses of packets can be used to restrict the packets that
enter the ports of a switch. You can set the number of static MAC addresses or the number of MAC addresses that are
dynamically learned to restrict the packets that can enter the port. Ports enabled with port security are called secure ports.
8.2 Applications
Application Description
Allowing Only Specified Hosts to Use For network security, certain ports of a device can be used only by specified hosts.
Ports
In a scenario that has requirements for the network security, devices cannot be completely isolated physically. In this case,
the devices need to be configured to restrict the PCs that connected to the ports of the devices.
Only specified PCs can connect to the ports and normally use the network.
Other PCs cannot use the network even if connected to the ports.
After the configuration is complete, the administrator does not need to perform regular maintenance.
Figure 8-1
Deployment
8-1
Configuration Guide Configuring Port Security
Enable port security on access device S and set the violation handling mode to protect.
8.3 Features
Basic Concepts
Secure Port
Ports configured with port security are called secure ports. At present, Ruijie devices require that secure ports cannot be
destination ports of mirroring.
Secure Addresses
Addresses bound to secure ports are called secure addresses. Secure addresses can be layer-2 addresses, namely MAC
addresses, and can also be layer-3 addresses, namely, IP or IP+MAC addresses. When a secure address is bound to
IP+MAC and a static secure MAC address is configured, the static secure MAC address must be the same as the MAC
address bound to IP+MAC; otherwise, communication may fail due to inconsistency with the binding. Similarly, if only IP
binding is set, only packets whose secure MAC addresses are statically configured or learned and whose source IP
addresses are the bound IP address can enter the device.
Dynamic Binding
A method for a device to automatically learn addresses and convert learned addresses into secure addresses.
Static Binding
Regularly delete secure address records. Secure addresses for port security support aging configuration. You can specify
only dynamically learned addresses for aging or specify both statically configured and dynamically learned secure addresses
for aging.
Convert dynamically learned secure addresses into statically configured addresses. Addresses will not age. After the
configurations are saved, dynamic secure addresses will not be learned again upon restart. If this function is not enabled, the
secure MAC addresses dynamically learned must be learned again after device restart.
When the number of learned MAC addresses learned by a port exceeds the maximum number of secure addresses, security
violation events will be triggered. You can configure the following modes for handing security violation events:
8-2
Configuration Guide Configuring Port Security
protect: When security violation occurs, a corresponding secure port will stop learning MAC addresses and discard all
packets of newly accessed users. This is the default mode for handling violation.
restrict: When violation occurs, a port violation trap notification will be sent in addition to the behavior in the protect
mode.
shutdown: When violation occurs, the port will be disabled in addition to the behaviors in the preceding two modes.
The maximum number of secure addresses indicates the total number of secure addresses statically configured and
dynamically learned. When the number of secure addresses under a secure port does not reach the maximum number of
secure addresses, the secure port can dynamically learn new dynamic secure addresses. When the number of secure
addresses reaches the maximum number, the secure port will not learn dynamic secure addresses any longer. If new users
access the secure port in this case, security violation events will occur.
Overview
Feature Description
Enabling Port Creates a secure address list for a port.
Security
Filtering Layer-2 Processes the packets received by a port from non-secure addresses.
Users
Filtering Layer-3 Checks the layer-2 and layer-3 addresses of packets passing a port.
Users
Aging of Secure Regularly deletes secure addresses.
Addresses
Working Principle
When port security is enabled, the device security module will check the sources of received packets. Only packets from
addresses in the secure address list can be normally forwarded; otherwise, the packets will be discarded or the port performs
other violation handling behaviors.
When the port security and 802.1x are configured at the same time, packets can enter a switch only when the MAC
addresses of the packets meet the static MAC address configurations of 802.1x or port security. If a port is configured with a
secure channel or is bound to global IP+MAC, packets in compliance with the secure channel or bound to global IP+MAC
can avoid checking of port security.
Related Configuration
8-3
Configuration Guide Configuring Port Security
You can run the switchport port-security command to enable or disable the port security function for a port.
You can run the switchport port-security maximum command to adjust the maximum number of secure addresses for the
port.
A smaller number of secure addresses mean fewer users that access the network through this port.
By default, when the number of secure addresses reaches the maximum number, the secure port will discard packets from
unknown addresses (none of the secure addresses of the port).
You can run the switchport port-security violation command to modify the violation handling mode.
You can run the switchport port-security mac-address sticky command to save dynamically learned addresses to the
configuration file. As long as the configuration file is saved, the device does not need to re-learn the secure addresses after
the device is restarted.
Working Principle
Add secure addresses for a secure port. When the number of secure addresses for a secure port does not reach the
maximum number, the secure port can dynamically learn new dynamic secure addresses. When the number of secure
addresses for the secure port reaches the maximum number, the secure port will not learn dynamic secure addresses any
longer. The MAC addresses of users connecting to this port must be in the secure address list; otherwise, violation events
will be triggered.
Related Configuration
By default, a port dynamically learns secure addresses. If an administrator has special requirements, the administrator can
manually configure secure addresses.
You can run the switch portport-security interface command to add or delete secure addresses for a device.
8-4
Configuration Guide Configuring Port Security
Working Principle
Layer-3 secure addresses support only IP binding and IP+MAC binding, and supports only static binding (not dynamic
binding).
When a layer-3 secure port receives packets, layer-2 and layer-3 addresses need to be parsed. Only packets whose
addresses are bound are valid packets. Other packets are considered as invalid packets and will be discarded, but no
violation event will be triggered.
Related Configuration
You can run the switchport port-security binding command to add binding of secure addresses.
If only IP addresses are input, only IP addresses are bound. If IP addresses and MAC addresses are input, IP+MAC will be
bound.
Working Principle
Enable the aging timer to regularly query and delete secure addresses whose aging time expires.
Related Configuration
You can run the switchport port-security aging command to enable aging time.
8.4 Configuration
Configuring Secure ports and (Mandatory) It is used to enable the port security service.
Violation Handling Modes
switchport port-security Enables port security.
8-5
Configuration Guide Configuring Port Security
Restrict the number of MAC addresses that can be learned from a port.
Notes
The port security function cannot be configured for a DHCP Snooping trusted port.
The port security function cannot be configured for excluded ports of global IP+MAC.
The security function can be enabled only for wired switching ports and layer-2 AP ports in the interface configuration
mode.
The port security can work with other access control functions such as the 802.1x, global IP+MAC binding, and IP
source guard. When these functions are used together, packets can enter a switch only when passing all security
checks. If a security channel is configured for a port, packets in compliance with the security channel will avoid checking
of the port security.
Configuration Steps
8-6
Configuration Guide Configuring Port Security
Mandatory.
If there is no special requirement, enable the port security service for a port on the access device.
Optional. To adjust the maximum number of secure addresses running on a secure port, you can configure this item.
Optional. If you hope that other handling modes except discarding packets are implemented in case of violation, you
can configure other handling modes.
Optional. If you hope that secure addresses are not re-learned after the device is restarted, you can configure this item.
Verification
Run the command of the device for displaying the port security configurations to check whether the configurations take
effect.
Related Commands
8-7
Configuration Guide Configuring Port Security
address is the configured secure address) connected to this port will exclusively use all bandwidth of the
port.
Configuration Example
Enabling Port Security for the Port gigabitethernet 0/3, Setting the Maximum Number of Addresses to 8, and
Setting the Violation Handing Mode to protect
8-8
Configuration Guide Configuring Port Security
Interface : Gi0/3
Common Errors
The configured maximum number of secure addresses is smaller than the number of existing secure addresses.
Notes
Sticky MAC addresses are special MAC addresses not affected by the aging mechanism. No matter dynamic or static
aging is configured, sticky MAC addresses will not be aged.
Configuration Steps
8-9
Configuration Guide Configuring Port Security
Optional.
Optional.
Verification
Run the command of the device for displaying the port security configurations to check whether the configurations take
effect.
Related Commands
Adding Secure Addresses for Secure Ports in the Global Configuration Mode
Adding Secure Addresses for Secure Ports in the Interface Configuration Mode
Adding Binding of Secure Addresses for Secure Ports in the Global Configuration Mode
Command switchport port-security interface interface-id binding [ mac-address vlan vlan_id ] { ipv4-address |
ipv6-address }
Parameter interface-id: Indicates the interface ID.
Description mac-address: Indicates a bound source MAC address.
vlan_id: Indicates the VID of a bound source MAC address.
ipv4-address: Indicates a bound IPv4 address.
ipv6-address: Indicates a bound IPv6 address.
Command Global configuration mode
Mode
8-10
Configuration Guide Configuring Port Security
Usage Guide -
Adding Binding of Secure Addresses for Secure Ports in the Interface Configuration Mode
Command
switchport port-security binding-filter logging [ rate-limit rate ]
Parameter rate-limit rate: Indicates the printing rate of binding filter logging.
Description
Command Global configuration mode
Mode
Usage Guide 1. If you run the switchport port-security binding-filter logging command without configuring the rate
parameter, binding filter logging is enabled and the default printing rate, 10logs/minute, is adopted.
2. After binding filter logging is enabled, for packets that do not comply with IP/IP-MAC binding, warmings
are printed.
3. After binding filter logging is enabled, if the printing rate exceeds the configured rate, the number of
suppressed packets is displayed.
Configuration Example
Configuring a Secure MAC Address 00d0.f800.073c for the Port gigabitethernet 0/3
8-11
Configuration Guide Configuring Port Security
----------------------------------------- ------------------
Configuring a Security Binding of the IP Address 192.168.12.202 for the Port gigabitethernet 0/3
----------------------------------------- ------------------
8-12
Configuration Guide Configuring Port Security
Configuring a Secure MAC Address 00d0.f800.073c and a Security Binding of the IP Address
0000::313b:2413:955a:38f4 for the Port gigabitethernet 0/3
Ruijie(config-if)# end
----------------------------------------- ------------------
Configuring the Aging Time of the Port gigabitethernet 0/3 to 8 Minutes, Which Is Also Applied to Statically
Configured Secure Addresses
8-13
Configuration Guide Configuring Port Security
Interface : Gi0/3
Violation mode:Shutdown
8.5 Monitoring
Displaying
Description Command
Displays all secure addresses or all show port-security address [ interface interface-id ]
secure addresses of a specified port.
Displays all bindings or all bindings of show port-security binding [ interface interface-id ]
a specified port.
Displays all valid secure addresses show port-security all
of ports and the security binding
records of the ports.
Displays the port security show port-security interface interface-id
configurations of an interface.
Displays the statistics about port show port-security
security.
8-14
Configuration Guide Configuring Storm Control
9.1 Overview
When a local area network (LAN) has excess broadcast data flows, multicast data flows, or unknown unicast data flows, the
network speed will slow down and packet transmission will have an increased timeout probability. This situation is called a
LAN storm. A storm may occur when topology protocol execution or network configuration is incorrect.
Storm control can be implemented to limit broadcast data flows, multicast data flows, or unknown unicast data flows. If the
rate of data flows received by a device port is within the configured bandwidth threshold, packets-per-second threshold, or
kilobits-per-second threshold, the data flows are permitted to pass through. If the rate exceeds the thresholds, excess data
flows are discarded until the rate falls within the thresholds. This prevents flood data from entering the LAN causing a storm.
9.2 Applications
Application Description
Network Attack Prevention Enable storm control to prevent flooding.
Protect devices from flooding of broadcast packets, multicast packets, or unknown unicast packets.
Figure 9-1
Deployment
Enable storm control on the ports of all access devices (Switch A and Switch B).
9-1
Configuration Guide Configuring Storm Control
9.3 Features
Basic Concepts
Storm Control
If the rate of data flows (broadcast packets, multicast packets, or unknown unicast packets) received by a device port is
within the configured bandwidth threshold, packets-per-second threshold, or kilobits-per-second threshold, the data flows are
permitted to pass through. If the rate exceeds the thresholds, excess data flows are discarded until the rate falls within the
thresholds.
If the rate of data flows received by a device port is within the configured bandwidth threshold, the data flows are permitted to
pass through. If the rate exceeds the threshold, excess data flows are discarded until the rate falls within the threshold.
If the rate of data flows received by a device port is within the configured packets-per-second threshold, the data flows are
permitted to pass through. If the rate exceeds the threshold, excess data flows are discarded until the rate falls within the
threshold.
If the rate of data flows received by a device port is within the configured kilobits-per-second threshold, the data flows are
permitted to pass through. If the rate exceeds the threshold, excess data flows are discarded until the rate falls within the
threshold.
Overview
Feature Description
Unicast Packet Storm Limits unknown unicast packets to prevent flooding.
Control
Multicast Packet Limits multicast packets to prevent flooding.
Storm Control
Broadcast Packet Limits broadcast packets to prevent flooding.
Storm Control
Working Principle
9-2
Configuration Guide Configuring Storm Control
If the rate of unknown unicast data flows received by a device port is within the configured bandwidth threshold,
packets-per-second threshold, or kilobits-per-second threshold, the data flows are permitted to pass through. If the rate
exceeds the thresholds, excess data flows are discarded until the rate falls within the thresholds.
Related Configuration
Run the storm-control unicast [ { level percent | pps packets | rate-bps } ] command to enable unicast packet storm control
on ports.
Run the no storm-control unicast or default storm-control unicast command to disable unicast packet storm control on
ports.
Working Principle
If the rate of multicast data flows received by a device port is within the configured bandwidth threshold, packets-per-second
threshold, or kilobits-per-second threshold, the data flows are permitted to pass through. If the rate exceeds the thresholds,
excess data flows are discarded until the rate falls within the thresholds.
Related Configuration
Run the storm-control multicast [ { level percent | pps packets | rate-bps } ] command to enable multicast packet storm
control on ports.
Run the no storm-control multicast or default storm-control multicast command to disable multicast packet storm
control on ports.
Working Principle
9-3
Configuration Guide Configuring Storm Control
If the rate of broadcast data flows received by a device port is within the configured bandwidth threshold, packets-per-second
threshold, or kilobits-per-second threshold, the data flows are permitted to pass through. If the rate exceeds the thresholds,
excess data flows are discarded until the rate falls within the thresholds.
Related Configuration
Run the storm-control broadcast [ { level percent | pps packets | rate-bps } ] command to enable broadcast packet storm
control on ports.
Run the no storm-control broadcast or default storm-control broadcast command to disable broadcast packet storm
control on ports.
9.4 Configuration
Prevent flooding caused by excess broadcast packets, multicast packets, and unknown unicast packets.
Notes
When you run a command (for example, storm-control unicast) to enable storm control, if you do not set the
parameters, the default values are used.
Configuration Steps
Mandatory.
Enable unicast packet storm control on every device unless otherwise specified.
Mandatory.
Enable multicast packet storm control on every device unless otherwise specified.
9-4
Configuration Guide Configuring Storm Control
Mandatory.
Enable broadcast packet storm control on every device unless otherwise specified.
Verification
Run the show storm-control command to check whether the configuration is successful.
Related Commands
Configuration Example
Scenario
9-5
Configuration Guide Configuring Storm Control
Figure 9-2
Ruijie(config-if-range)#storm-control broadcast
Ruijie(config-if-range)#storm-control multicast
Ruijie(config-if-range)#storm-control unicast
Switch B
Ruijie(config)#interface range gigabitEthernet 0/1,0/5,0/9
Ruijie(config-if-range)#storm-control broadcast
Ruijie(config-if-range)#storm-control multicast
Ruijie(config-if-range)#storm-control unicast
Switch B
Ruijie#sho storm-control
9-6
Configuration Guide Configuring Storm Control
9.5 Monitoring
Displaying
Description Command
Displays storm control information. show storm-control [ interface-type interface-number ]
9-7
Configuration Guide Configuring SSH
10 Configuring SSH
10.1 Overview
Secure Shell (SSH) connection is similar to a Telnet connection except that all data transmitted over SSH is encrypted. When
a user in an insecure network environment logs into a device remotely, SSH helps ensure information security and powerful
authentication, protecting the device against attacks such as IP address spoofing and plain-text password interception.
An SSH-capable device can be connected to multiple SSH clients. In addition, the device can also function as an SSH client,
and allows users to set up an SSH connection with a SSH-server device. In this way, the local device can safely log in to a
remote device through SSH to implement management.
Currently, a device can work as either the SSH server or an SSH client, supporting SSHv2 version. Ruijie SSH service
supports both IPv4 and IPv6.
RFC 4419: Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
RFC 4716: The Secure Shell (SSH) Public Key File Format
RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
draft-ylonen-ssh-protocol-00: The version of the SSH Remote Login Protocol is 1.5. Comware implements the SSH
server functions, but not the SSH client functions.
10.2 Applications
Application Description
SSH Device Management Use SSH to manage devices.
SSH Local Line Authentication Use the local line password authentication for SSH user authentication.
10-1
Configuration Guide Configuring SSH
Application Description
SSH AAA Authentication Use the authentication, authorization and accounting (AAA) mode for SSH user
authentication.
SSH Public Key Authentication Use the public key authentication for SSH user authentication.
SSH File Transfer Use the Secure Copy (SCP) commands on the client to exchange data with the SSH
server.
You can use SSH to manage devices on the precondition that the SSH server function is enabled. By default, this function is
disabled. The Telnet component that comes with the Windows system does not support SSH. Therefore, a third-party client
software must be used. Currently, well-compatible software includes PuTTY, Linux, and SecureCRT. The following takes the
PuTTY as an example to introduce the configurations of the SSH client. Figure 10-1 shows the network topology.
Deployment
On the Session option tab of PuTTY, type in the host IP address of the SSH server and SSH port number 22, and
select the connection type SSH.
On the SSH option tab of PuTTY, select the preferred SSH protocol version 2.
On the SSH authentication option tab of PuTTY, select the authentication method Attempt "keyboard-interactive"
auth.
Type in the correct user name and password to enter the terminal login interface.
SSH clients can use the local line password authentication mode, as shown in Figure 10-2. To ensure security of data
exchange, PC 1 and PC 2 function as the SSH clients, and use the SSH protocol to log in to the network device where the
SSH server function is enabled. The requirements are as follows:
10-2
Configuration Guide Configuring SSH
Five lines, including Line 0 to Line 4, are activated concurrently. The login password is "passzero" for Line 0 and "pass"
for the remaining lines. Any user name can be used.
Deployment
1. Enable the SSH server function globally. By default, the SSH server supports only one version: SSHv2.
2. Configure the key. With this key, the SSH server decrypts the encrypted password received from the SSH clients,
compares the decrypted plain text with the password stored on the server, and returns a message indicating the
successful or unsuccessful authentication. SSHv2 adopts an RSA or DSA key.
3. Configure the IP address of the FastEthernet 0/1 interface on the SSH server. The SSH client is connected to the SSH
server using this IP address. The routes from the SSH clients to the SSH server are reachable.
Diversified SSH client software is available, including PuTTY,Linux, and OpenSSH. This document takes PuTTY as an
example to explain the method for configuring the SSH clients.
1. Open the PuTTY connection tab, and select SSHv2 for authenticated login.
2. Set the IP address and connected port ID of the SSH server. As shown in the network topology, the IP address of the
server is 192.168.23.122, and the port ID is 22. Click Open to start the connection. As the current authentication mode
does not require a user name, you can type in any user name, but cannot be null. (In this example, the user name is
"anyname".)
SSH users can use the AAA authentication mode for user authentication, as shown in Figure 10-3. To ensure security of data
exchange, the PCs function as the SSH clients, and uses the SSH protocol to log in to the network device where the SSH
server is enabled. To better perform security management, the AAA authentication mode is used for user login on the SSH
clients. Two authentication methods, including Radius server authentication and local authentication, are provided in the AAA
10-3
Configuration Guide Configuring SSH
authentication method list to ensure reliability. The Radius server authentication method is preferred. If the Radius server
does not respond, it turns to the local authentication.
Deployment
The routes from the SSH clients to the SSH server are reachable, and the route from the SSH server to the Radius
server is also reachable.
Configure the SSH server on the network device that functions as an SSH client.
Configure the AAA parameters on the network device. When the AAA authentication mode is used, method lists are
created to define the identity authentication and types, and applied to a specified service or interface.
SSH clients can use the public keys for authentication, and the public key algorithm can be RSA or DSA, as shown in Figure
10-4.SSH is configured on the client so that a secure connection is set up between the SSH client and the SSH server.
Figure 10-4 Network Topology for Public Key Authentication of SSH Users
Deployment
To implement public key authentication for the client, generate a key pair (RSA or DSA) on the client, configure the
public key on the SSH server, and select the public key authentication mode.
10-4
Configuration Guide Configuring SSH
After the key is generated on the client, the SSH server will copy the file of the public key from the client to the flash and
associates the file with the SSH user name. Each user can be associated with one RSA public key and one DSA public
key.
The SCP service is enabled on the server, and SCP commands are used on the client to transfer data to the server, as
shown in Figure 10-5.
Deployment
On the client, use SCP commands to upload files to the server, or download files from the server.
10.3 Features
Basic Concepts
Password authentication
During the password authentication, a client sends a user authentication request and encrypted user name and password to
the server. The server decrypts the received information, compares the decrypted information with those stored on the server,
and then returns a message indicating the successful or unsuccessful authentication.
During the public key authentication, digital signature algorithms, such as RSA and DSA, are used to authenticate a client.
The client sends a public key authentication request to the server. This request contains information including the user name,
public key, and public key algorithm. On receiving the request, the server checks whether the public key is correct. If wrong,
the server directly sends an authentication failure message. If right, the server performs digital signature authentication on
the client, and returns a message indicating the successful or unsuccessful authentication.
SSH Communication
10-5
Configuration Guide Configuring SSH
To ensure secure communication, interaction between an SSH server and an SSH client undergoes the following seven
stages:
Connection setup
The server listens on Port 22 to the connection request from the client. After originating a socket initial connection request,
the client sets up a TCP socket connection with the server.
Version negotiation
If the connection is set up successfully, the server sends a version negotiation packet to the client. On receiving the packet,
the client analyzes the packet and returns a selected protocol version to the server. The server analyzes the received
information to determine whether version negotiation is successful.
If version negotiation is successful, key exchange and the algorithm negotiation are performed. The server and the client
exchange the algorithm negotiation packet with each other, and determine the final algorithm based on their capacity. In
addition, the server and the client work together to generate a session key and a session ID according to the key exchange
algorithm and host key, which will be applied to subsequent user authentication, data encryption, and data decryption.
User authentication
After the encrypted channel is set up, the client sends an authentication request to the server. The server repeatedly
conducts authentication for the client until the authentication succeeds or the server shuts down the connection because the
maximum number of authentication attempts is reached.
Session request
After the successful authentication, the client sends a session request to the server. The server waits and processes the
client request. After the session request is successfully processed, SSH enters the session interaction stage.
Session interaction
After the session request is successfully processed, SSH enters the session interaction stage. Encrypted data can be
transmitted and processed in both directions. The client sends a command to be executed to the client. The server decrypts,
analyzes, and processes the received command, and then sends the encrypted execution result to the client. The client
decrypts the execution result.
Session ending
When the interaction between the server and the client is terminated, the socket connection disconnects, and the session
ends.
Overview
Feature Description
SSH Server Enable the SSH server function on a network device, and you can set up a secure connection with
the network device through the SSH client.
SCP Service After the SCP service is enabled, you can directly download files from the network device and
upload local files to the network device. In addition, all interactive data is encrypted, featuring
authentication and security.
10-6
Configuration Guide Configuring SSH
Working Principle
For details about the working principle of the SSH server, see the "SSH Communication" in "Basic Concepts." In practice,
after enabling the SSH server function, you can configure the following parameters according to the application
requirements:
Authentication timeout: The SSH server starts the timer after receiving a user connection request. The SSH server is
disconnected from the client either when the authentication succeeds or when the authentication timeout is reached.
Maximum number of authentication retries: The SSH server starts authenticating the client after receiving its connection
request. If authentication does not succeed when the maximum number of user authentication retries is reached, a
message is sent, indicating the authentication failure.
Public key authentication: The public key algorithm can be RSA or DSA. It provides a secure connection between the
client and the server. The public key file on the client is associated with the user name. In addition, the public key
authentication mode is configured on the client, and the corresponding private key file is specified. In this way, when the
client attempts to log in to the server, public key authentication can be implemented to set up a secure connection.
Related Configuration
In global configuration mode, run the [no] enable service ssh-server command to enable or disable the SSH server.
To generate the SSH key, you also need to enable the SSH server.
Run the ip ssh time-out command to configure the user authentication timeout of the SSH server. Use the no form of the
command to restore the default timeout. The SSH server starts the timer after receiving a user connection request. If
authentication does not succeed before the timeout is reached, authentication times out and fails.
Run the ip ssh authentication-retries command to configure the maximum number of user authentication retries on the
SSH server. Use the no form of the command to restore the default number of user authentication retries. If authentication
still does not succeed when the maximum number of user authentication retries is reached, user authentication fails.
10-7
Configuration Guide Configuring SSH
By default, the encryption mode supported by the SSH server is Compatible, that is, supporting counter (CTR) and other
encryption modes.
Run the ip ssh cipher-mode command to configure the encryption mode supported by the SSH server. Use the no form of
the command to restore the default encryption mode supported by the SSH server.
By default, the message authentication algorithms supported by the SSH server are as follows: For the SSHv2, five
algorithms, including MD5,SHA1,SHA1-96, sha2-256 and MD5-96, are supported.
Run the ip ssh hmac-algorithm command to configure the message authentication algorithm supported by the SSH server.
Use the no form of the command to restore the default message authentication algorithm supported by the SSH server.
Run the ip ssh peer command to associate the public key file on the client with the user name. When the client is
authenticated upon login, a public key file is specified based on the user name.
Working Principle
SCP is a protocol that supports online file transfer. It runs on Port 22 based on the BSC RCP protocol, whereas RCP
provides the encryption and authentication functions based on the SSH protocol. RCP implements file transfer, and
SSH implements authentication and encryption.
Assume that the SCP service is enabled on the server. When you use an SCP client to upload or download files, the
SCP client first analyzes the command parameters, sets up a connection with a remote server, and starts another SCP
process based on this connection. This process may run in source or sink mode. (The process running in source mode
is the data provider. The process running in sink mode is the destination of data.) The process running in source mode
reads and sends files to the peer end through the SSH connection. The process running in sink mode receives files
through the SSH connection.
Related Configuration
Run the ip scp server enable command to enable SCP server function on a network device.
10.4 Configuration
10-8
Configuration Guide Configuring SSH
Mandatory.
Configuring the SCP Service
ip scp server enable Enables the SCP server.
Enable the SSH server function on a network device so that you can set up a secure connection with a remote network
device through the SSH client. All interactive data is encrypted before transmitted, featuring authentication and security.
You can use diversified SSH user authentications modes, including local line password authentication, AAA
authentication, and public key authentication.
Notes
10-9
Configuration Guide Configuring SSH
The precondition of configuring a device as the SSH server is that communication is smooth on the network that the
device resides, and the administrator can access the device management interface to configure related parameters.
The no crypto key generate command does not exist. You need to run the crypto key zeroize command to delete a
key.
The SSH module does not support hot standby. Therefore, for products that supports hot standby on the supervisor
modules, if no SSH key file exist on the new active module after failover, you must run the crypto key generate
command to re-generate a key before using SSH.
Configuration Steps
Mandatory.
By default, the SSH server is disabled. In global configuration mode, enable the SSH server and generate an SSH key
so that the SSH server state changes to ENABLE.
Optional.
By default, the SSH authentication timeout is 120s. You can configure the user authentication timeout as required. The
value ranges from 1 to 120. The unit is second.
Optional.
Configure the maximum number of SSH authentication retries to prevent illegal behaviors such as malicious guessing.
By default, the maximum number of SSH authentication retries is 3, that is, a user is allowed to enter the user name and
password three times for authentication. You can configure the maximum number of retries as required. The value
ranges from 0 to 5.
Optional.
Specify the encryption mode supported by the SSH server. By default, the encryption mode supported by the SSH
server is Compatible, that is, supporting CTR and other encryption modes.
Optional.
Specify the message authentication algorithm supported by the SSH server. By default, the message authentication
algorithms supported by the SSH server are as follows: For the SSHv2, five algorithms, including MD5, SHA1, SHA1-96,
sha2-256 and MD5-96, are supported.
Optional.
10-10
Configuration Guide Configuring SSH
Set ACL filtering of the SSH server. By default, ACL filtering is not performed for all connections to the SSH server.
According to needs, set ACL filtering to perform for all connections to the SSH server.
Optional.
Only SSHv2 supports authentication based on the public key. This configuration associates a public key file on the
client with a user name. When a client is authenticated upon login, a public key file is specified based on the user name.
Verification
Run the show ip ssh command to display the current SSH version, authentication timeout, and maximum number of
authentication retries of the SSH server.
Run the show crypto key mypubkey command to display the public information of the public key to verify whether the
key has been generated.
Configure the public key authentication login mode on the SSH client and specify the private key file. Check whether
you can successfully log in to the SSH server from the SSH client. If yes, the public key file on the client is successfully
associated with the user name, and public key authentication succeeds.
Related Commands
10-11
Configuration Guide Configuring SSH
10-12
Configuration Guide Configuring SSH
Parameter md5: Indicates that the message authentication algorithm supported by the SSH server is MD5.
Description md5-96: Indicates that the message authentication algorithm supported by the SSH server is MD5-96.
sha1: Indicates that the message authentication algorithm supported by the SSH server is SHA1.
sha1-96: Indicates that the message authentication algorithm supported by the SSH server is SHA1-96.
sha2-256: Indicates that the message authentication algorithm supported by the SSH server is SHA2-256
Command Global configuration mode
Mode
Usage Guide This command is used to configure the message authentication algorithm supported by the SSH server.
On Ruijie devices, the SSHv2 server supports the MD5, SHA1, SHA1-96, sha2-256 and MD5-96 message
authentication algorithms. You can select message authentication algorithms supported by the SSH server
as required.
Configuration Example
10-13
Configuration Guide Configuring SSH
Configuration Run the crypto key generate { rsa | dsa } command to generate a RSA public key for the server.
Steps
SSH Server
Ruijie#configure terminal
Choose the size of the rsa key modulus in the range of 512 to 2048
and the size of the dsa key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.
If the generation of the RSA key is successful, the following information is displayed:
If the generation of the RSA key fails, the following information is displayed:
Verification Run the show crypto key mypubkey rsa command to display the public information about the RSA
key. If the public information about the RSA key exists, the RSA key has been generated.
SSH Server
Ruijie(config)#show crypto key mypubkey rsa
Key Data:
10-14
Configuration Guide Configuring SSH
Key Data:
Configuration Run the ip ssh time-out time command to set the SSH authentication timeout to 100s.
Steps
SSH Server
Ruijie#configure terminal
Ruijie(config)#ip sshtime-out100
Verification Run the show ip ssh command to display the configured SSH authentication timeout.
SSH Server
Ruijie(config)#show ip ssh
Authentication retries: 3
Configuration Run the ip ssh authentication-retries retry times command to set the maximum number of user
Steps authentication retries on the SSH server to 2.
SSH Server
Ruijie#configure terminal
Verification Run the show ip ssh command to display the configured maximum number of authentication retries.
SSH Server
Ruijie(config)#show ip ssh
Authentication retries: 3
Configuration Run the ip ssh cipher-mode { ctr | others }command to set the encryption mode supported by the
10-15
Configuration Guide Configuring SSH
Verification Select the CTR encryption mode on the SSH client, and verify whether you can successfully log in to
the SSH server from the SSH client.
Configuration Run the ip ssh hmac-algorithm {md5 | md5-96 | sha1 | sha1-96 | sha2-256} command to set the
Steps message authentication algorithm supported by the SSH server to SHA1.
SSH Server
Ruijie#configure terminal
Verification Select the SHA1 message authentication algorithm on the SSH client, and verify whether you can
successfully log in to the SSH server from the SSH client.
Configuration Run the ip ssh peer username public-key { rsa | dsa}filename command to associate a public key file
Steps of the client with a user name. When the client is authenticated upon login, a public key file (for
example, RSA) is specified based on the user name.
SSH Server
Ruijie#configure terminal
Verification Configure the public key authentication login mode on the SSH client and specify the private key file.
Check whether you can successfully log in to the SSH server from the SSH client. If yes, the public key
file on the client is successfully associated with the user name, and public key authentication
succeeds.
Scenario
Figure 10-6
You can use SSH to manage devices on the precondition that the SSH server function is enabled. By
default, this function is disabled. The Telnet component that comes with the Windows does not support
SSH. Therefore, a third-party client software must be used. Currently, well-compatible client software
includes PuTTY, Linux, and SecureCRT. The following takes the PuTTY as an example to introduce the
configurations of the SSH client.
10-16
Configuration Guide Configuring SSH
Host Name (or IP address) indicates the IP address of the host to be logged in. In this example, the IP
address is 192.168.23.122. Port indicates the port ID 22, that is, the default ID of the port listened by SSH.
Connection type is SSH.
Figure 10-8
10-17
Configuration Guide Configuring SSH
As shown in Figure 10-8, select 2 as the preferred SSH protocol version in the Protocol options pane
because SSHv2 is used for login.
Figure 10-9
10-18
Configuration Guide Configuring SSH
As shown in Figure 10-9, select Attempt "keyboard-interactive" auth as the authentication method to
support authentication based on the user name and password.
Then, click Open to connect to the configured server host, as shown in Figure 10-9.
Figure 10-10
The PuTTY Security Alert box indicates that you are logging in to the client of the server 192.168.23.122,
and asks you whether to receive the key sent from the server.
10-19
Configuration Guide Configuring SSH
If you select Yes, a login dialog box is displayed, as shown in Figure 10-11.
Figure 10-11
Type in the correct user name and password, and you can log in to the SSH terminal interface, as shown in
Figure 10-12.
Figure 10-12
10-20
Configuration Guide Configuring SSH
Verification Run the show ip ssh command to display the configurations that are currently effective on the SSH
server.
Run the show ssh command to display information about every SSH connection that has been
established.
Ruijie#show ip ssh
Authentication retries: 3
Ruijie#show ssh
10-21
Configuration Guide Configuring SSH
Scenario
Figure 10-13
SSH users can use the local line password for user authentication, as shown in Figure 10-13.To ensure
security of data exchange, PC 1 and PC 2 function as the SSH clients, and use the SSH protocol to log in to
the network device where the SSH server is enabled. The requirements are as follows:
SSH users use the local line password authentication mode.
Five lines, including Line 0 to Line 4, are activated concurrently. The login password is "passzero" for
Line 0 and "pass" for the remaining lines. Any user name can be used.
Choose the size of the key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
10-22
Configuration Guide Configuring SSH
a few minutes.
Ruijie(config)#interface fastEthernet0/1
Ruijie(config-if-fastEthernet0/1)#exit
Ruijie(config)#line vty 0
Ruijie(config-line)#password passzero
Ruijie(config-line)#privilege level 15
Ruijie(config-line)#login
Ruijie(config-line)#exit
Ruijie(config)#line vty1 4
Ruijie(config-line)#password pass
Ruijie(config-line)#privilege level 15
Ruijie(config-line)#login
Ruijie(config-line)#exit
10-23
Configuration Guide Configuring SSH
Set the IP address and port ID of the SSH server. As shown in the network topology, the IP address of the
server is 192.168.23.122, and the port ID is 22 (For details about the configuration method, see "Configuring
SSH Device Management."). Click Open to start the SSH server. As the current authentication mode does
not require a user name, you can type in any user name, but cannot leave the user name unspecified. (In
this example, the user name is "anyname".)
Verification Run the show running-config command to display the current configurations.
Verify that the SSH client configurations are correct.
SSH Server
Ruijie#show running-config
Building configuration...
interface fastEthernet0/1
10-24
Configuration Guide Configuring SSH
line vty 0
privilege level 15
login
password passzero
line vty 1 4
privilege level 15
login
password pass
end
SSH Client
Set up a connection, and enter the correct password. The login password is "passzero" for Line 0 and "pass"
for the remaining lines. Then, the SSH server operation interface is displayed, as shown in Figure 10-15.
Figure 10-15
Ruijie#show users
10-25
Configuration Guide Configuring SSH
Scenario
Figure 10-16
SSH users can use the AAA authentication mode for user authentication, as shown in Figure 10-16.To
ensure security of data exchange, the PC functions as the SSH client, and uses the SSH protocol to log in to
the network device where the SSH server is enabled. To better perform security management, the AAA
authentication mode is used on the user login interface of the SSH client. Two authentication methods,
including Radius server authentication and local authentication, are provided in the AAA authentication
method list to ensure reliability. The Radius server authentication method is preferred. If the Radius server
does not respond, select the local authentication method.
Configuration The route from the SSH client to the SSH server is reachable, and the route from the SSH server to the
Steps Radius server is also reachable.
Configure the SSH server on the network device. The configuration method is already described in the
previous example, and therefore omitted here.
Configure the AAA parameters on the network device. When the AAA authentication mode is used,
method lists are created to define the identity authentication and types, and applied to a specified
service or interface.
SSH Server
Ruijie(config)# enable service ssh-server
Choose the size of the key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
10-26
Configuration Guide Configuring SSH
a few minutes.
Choose the size of the key modulus in the range of 360 to 2048 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.
Ruijie(config)#interface gigabitEthernet1/1
Ruijie(config-if-gigabitEthernet1/1)#exit
Ruijie#configure terminal
Ruijie(config)#aaa new-model
Ruijie(config)#line vty 0 4
Ruijie(config-line)#exit
Ruijie(config)#enable secret w
Verification Run the show running-config command to display the current configurations.
This example assumes that the SAM server is used.
Set up a remote SSH connection on the PC.
Check the login user.
Ruijie#show run
aaa new-model
10-27
Configuration Guide Configuring SSH
no service password-encryption
interface gigabitEthernet1/1
no ip proxy-arp
line con 0
line vty 0 4
End
On the SSH client, choose System Management>Device Management, and add the device IP address
192.168.217.81 and the device key aaaradius.
Choose Security Management>Device Management Rights, and set the rights of the login user.
Choose Security Management>Device Administrator, and add the user name user and password pass.
Configure the SSH client and set up a connection to the SSH server. For details, see the previous example.
Type in the user name user and password pass. Verify that you can log in to the SSH server successfully.
Ruijie#show users
10-28
Configuration Guide Configuring SSH
Scenario
Figure 10-17
SSH users can use the public key for user authentication, and the public key algorithm is RSA or DSA, as
shown in Figure 10-17.SSH is configured on the client so that a secure connection is set up between the
SSH client and the SSH server.
Configuration To implement public key authentication on the client, generate a key pair (for example, RSA key) on
Steps the client, place the public key on the SSH server, and select the public key authentication mode.
After the key pair is generated on the client, you must save and upload the public key file to the server
and complete the server-related settings before you can continue to configure the client and connect
the client with the server.
After the key is generated on the client, copy the public key file from the client to the flash of the SSH
server, and associate the file with an SSH user name. A user can be associated with one RSA public
key and one DSA public key.
SSH Client
Run the puttygen.exe software on the client. Select SSH-2 RSA in the Parameters pane, and click
Generate to generate a key, as shown in Figure 10-18.
Figure 10-18
10-29
Configuration Guide Configuring SSH
When a key is being generated, you need to constantly move the mouse over a blank area outside the green
progress bar; otherwise, the progress bar does not move and key generation stops, as shown in Figure
10-19.
Figure 10-19
10-30
Configuration Guide Configuring SSH
To ensure security of the RSA public key authentication, the length of the generated RSA key pair must be
equal to or larger than 768 bits. In this example, the length is set to 1,024 bits.
Figure 10-20
10-31
Configuration Guide Configuring SSH
After the key pair is generated, click Save public key, type in the public key name test_key.pub, select the
storage path, and click Save. Then click Save private key. The following prompt box is displayed. Select
Yes, type in the public key name test_private, and click Save.
Figure 10-21
You must select the OpenSSH key file; otherwise, the key file cannot be used. The puttygen.exe software
can be used to generate a key file in OpenSSH format, but this file cannot be directly used by the PuTTY
client. You must use puttygen.exe to convert the private key to the PuTTY format. Format conversion is not
required for the public key file stored on the server, and the format of this file is still OpenSSH, as shown in
Figure 10-22.
Figure 10-22
10-32
Configuration Guide Configuring SSH
SSH Server
Ruijie#configure terminal
Verification After completing the basic configurations of the client and the server, specify the private key file
test_private on the PuTTY client, and set the host IP address to 192.168.23.122 and port ID to 22 to
set up a connection between the client and the server. In this way, the client can use the public key
authentication mode to log in to the network device.
Figure 10-23
10-33
Configuration Guide Configuring SSH
Common Errors
After the SCP function is enabled on a network device, you can directly download files from the network device and upload
local files to the network device. In addition, all interactive data is encrypted, featuring authentication and security.
Notes
Configuration Steps
Mandatory.
By default, the SCP server function is disabled. Run the ip scp server enable command to enable the SCP server
function in global configuration mode.
10-34
Configuration Guide Configuring SSH
Verification
Run the show ip ssh command to check whether the SCP server function is enabled.
Related Commands
Configuration Example
Configuration Run the ip scp server enable command to enable the SCP server.
Steps
Ruijie#configure terminal
Verification Run the show ip ssh command to check whether the SCP server function is enabled.
Ruijie(config)#show ipssh
Authentication retries: 3
Scenario
Figure 10-24
The SCP service is enabled on the server, and SCP commands are used on the client to transfer data to the
server.
10-35
Configuration Guide Configuring SSH
Steps
The SCP server uses SSH threading. When connecting to a network device for SCP transmission, the
client occupies a VTY session (You can finds out that the user type is SSH by running the show user
command).
On the client, use SCP commands to upload files to the server, or download files from the server.
Most options are related to terminals. Few options are supported on both terminals and servers. Ruijie’s
SCP servers do not support d-p-q-r options. When these options are applied, there are prompts.
SSH Server
Ruijie#configure terminal
test@192.168.195.188's password:
10.5 Monitoring
Displaying
10-36
Configuration Guide Configuring SSH
Description Command
Displays the effective SSH server configurations. show ipssh
Displays the established SSH connection. show ssh
Displays the public information of the SSH public show crypto key mypubkey
key.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs SSH sessions. debug ssh
10-37
Configuration Guide Configuring GSN
11 Configuring GSN
11.1 Overview
Global Security Network (GSN) is a security policy platform consisting of a series of security policies such as access control
and network security. The GSN platform includes a device end and a server end. RG Security Policy Management Platform
(RG-SMP) server acts as the security policy server for GSN.
In Ruijie General Operation System (RGOS), GSN accepts policies assigned by the SMP server, installs the policies on
devices, and determines whether to allow data packets in a certain condition to pass through RG Security Switch. The
security policies include binding, isolation, and blocking. Binding is to bind the IP address and MAC address of a user
(usually authenticated by the server) on a device. Isolation and blocking are to allow or prohibit transmission of specific data
by setting an Access Control List (ACL).
GSN collaborates with the SMP server, 802.1X authentication, and Web authentication.
11.2 Applications
Application Description
GSN Security Protection for After a user passes 802.1X authentication, the SMP server assigns security policies
Authenticated Users (such as ARP guard and device integrity) to maintain the user's network security.
After a user passes 802.1X authentication, the SMP server learns the IP-MAC mapping of this user from the Security
Account Manager (SAM) server and then assigns security policies to the access device.
Figure 11-1
11-1
Configuration Guide Configuring GSN
Deployment
Enable 802.1X authentication on the access device and deploy the SAM server.
Deploy the SMP server and add the access device to receive security policies assigned.
11.3 Features
Basic Concepts
RG-SMP platform
RG Security Agent
RG Restore System
RG Security Switch
RG-SMP Platform
Based on the configured policies, the RG-SMP platform determines whether to allow data packets specified in a certain
range to pass through RG Security Switch. To install policies is to set policies on a device. To uninstall policies is to remove
policies from a device.
11-2
Configuration Guide Configuring GSN
RG Security Agent
RG Security Agent is a type of software running on each device that has accessed a corporate network. It collects device
information, identifies users' network behaviors, monitors network communication and security status of the devices, and
sends collected information to the RG-SMP platform so that the administrator can make security policies accordingly. RG
Security Agent automatically downloads new security policies from the RG-SMP platform and implements specified security
policies locally.
RG Restore System
For users failing to meet corporate security policies, the administrator presets policies on the RG-SMP platform to shield
most of the network access permissions of these unauthorized users and leave only one green security channel. This
security channel can only connect to corporate security policy upgrade servers, including the Windows patch upgrade server,
virus upgrade library server for anti-virus software, or other corporate upgrade servers.
When detecting that the security policies of a device do not meet the security levels defined by the RG-SMP platform, RG
Security Agent immediately uploads its security logs to the RG-SMP platform. The RG-SMP platform selects one policy from
the preset policy set based on the alarm logs sent by RG Security Agent, and sends this policy to all RG security switches.
After accepting the latest policy configuration, RG security switches immediately apply the configuration so that the alarming
user can access only the specified upgrade server based on the restoration operations specified by the SMP server and
automatically install patches.
When the user completes all restoration operations specified by the SMP server, RG Security Agent checks the security of
the RG-SMP platform again. If the user meets all security policy sets, RG Security Agent notifies the RG-SMP platform to
cancel the ACL restriction on this user and set this user to a common user.
RG Security Switch
As a part of Ruijie security solution, RG Security Switch receives policies from the RG-SMP platform, installs the policies, and
controls users based on the installed policies.
11.4 Configuration
(Mandatory) It is used to enable GSN on an access device and its communication with
the SMP server.
11-3
Configuration Guide Configuring GSN
(Optional) It is used to configure the minimum interval for transmitting security events.
Notes
You can configure SNMPv1, SNMPv2, or SNMPv3 as the name of the security authentication mechanism for
communication with the SMP server.
To facilitate user configuration, security v1 community and security community are both used to configure SNMPv1.
If SNMPv3 is selected, you must configure SNMPv3 users under the snmp-server command. For details about
configuration commands, refer to the section Configuring SNMP.
Configuration Steps
Mandatory.
Unless otherwise specified, enable GSN on each device that requires the security solution.
Mandatory.
Unless otherwise specified, enable this function on each device that requires the security solution to communicate with
the SMP server.
Mandatory.
11-4
Configuration Guide Configuring GSN
Unless otherwise specified, configure the IP address of the SMP server on each device that requires the security
solution to communicate with the SMP server.
To prevent unauthorized users from frequently sending security events to attack RG Security Switch and the SMP
server by faking security events, you can configure the minimum interval for transmitting security events to restrict users
from reporting security events.
If you want to modify the default minimum interval for transmitting the security events, run the related command. The
default interval is 5 seconds.
Related Commands
11-5
Configuration Guide Configuring GSN
Configuration Example
Common Errors
Notes
This function takes effect only when GSN is globally enabled and the configured port is an authentication port.
11-6
Configuration Guide Configuring GSN
Due to the application features of GSN, you need to disable 802.1X-based IP address authorization before enabling GSN.
GSN and 802.1X-based IP address authorization cannot be enabled at the same time. Otherwise, the running of security
policies will be affected.
Configuration Steps
To enable address binding based on a port, run the security address-bind enable command.
Related Commands
Configuration Example
11.5 Monitoring
Displaying
Description Command
Displays the IP address of the SMP show smp-server
server.
Displays the minimum interval for show security event interval
transmitting security events.
11-7
Configuration Guide Configuring GSN
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs GSN. debug gsn { all | error | event | packet | server | detail }
11-8
Configuration Guide Configuring CPP
12 Configuring CPP
12.1 Overview
The CPU Protect Policy (CPP) provides policies for protecting the CPU of a switch.
In network environments, various attack packets spread, which may cause high CPU usages of the switches, affect protocol
running and even difficulty in switch management. To this end, switch CPUs must be protected, that is, traffic control and
priority-based processing must be performed for various incoming packets to ensure the processing capabilities of the switch
CPUs.
CPP can effectively prevent malicious attacks in the network and provide a clean environment for legitimate protocol packets.
CPP is enabled by default. It provides protection during the entire operation of switches.
12.2 Applications
Application Description
Preventing Malicious Attacks When various malicious attacks such as ARP attacks intrude in a network, CPP
divides attack packets into queues of different priorities so that the attack packets will
not affect other packets.
Preventing CPU Processing Even when no attacks exist, it would become a bottleneck for CPU to handle
Bottlenecks excessive normal traffic. CPP can limit the rate of packets being sent to the CPU to
ensure normal operation of switches.
Network switches at all levels may be attacked by malicious packets, typically ARP attacks.
As shown in Figure 12-1, switch CPUs process three types of packets: forwarding-plane, control-plane and protocol-plane.
Forwarding-plane packets are used for routing, including ARP packets and IP route disconnection packets. Control-plane
packets are used to manage services on switches, including Telnet packets and HTTP packets. Protocol-plane packets
serve for running protocols, including BPDU packets and OSPF packets.
When an attacker initiates attacks by using ARP packets, the ARP packets will be sent to the CPU for processing. Since the
CPU has limited processing capabilities, the ARP packets may force out other packets (which may be discarded) and
consume many CPU resources (for processing ARP attack packets). Consequently, the CPU fails to work normally. In the
scenario as shown in Figure 12-1, possible consequences include: common users fail to access the network; administrators
fail to manage switches; the OSPF link between switch A and the neighbor B is disconnected and route learning fails.
12-1
Configuration Guide Configuring CPP
Deployment
By default, CPP classifies ARP packets, Telnet packets, IP route disconnection packets, and OSFP packets into
queues of different priorities. In this way, ARP packets will not affect other packets.
By default, CPP limits the rates of ARP packets and the rates of the priority queue where the ARP packets reside to
ensure that the attack packets do not occupy too many CPU resources.
Packets in the same priority queue with ARP packets may be affected by ARP attack packets. You can divide the
packets and the ARP packets into different priority queues by means of configuration.
When ARP attack packets exist, CPP cannot prevent normal ARP packets from being affected. CPP can only
differentiate the packet type but cannot distinguish attack packets from normal packets of the same type. In this case,
the Network Foundation Protection Policy (NFPP) function can be used to provide higher-granularity attack prevention.
Even though no attacks exist, many packets may need to be sent to the CPU for processing at an instant.
For example, the accesses to the core device of a campus network are counted in ten thousands. The traffic of normal ARP
packets may reach dozens of thousands packets per second (PPS). If all packets are sent to the CPU for processing, the
CPU resources cannot support the processing, which may cause protocol flapping and abnormal CPU running.
Deployment
By default, the CPP function limits the rates of ARP packets and the rates of the priority queue where the APR packets
reside to control the rate of ARP packets sent to the CPU and ensure that the CPU resource consumption is within a
specified range and that the CPU can normally process other protocols.
By default, the CPP function also limits the rates of other packets at the user level, such as Web authentication and
802.1X authentication packets.
12-2
Configuration Guide Configuring CPP
12.3 Features
Basic Concepts
QOS, DiffServ
Quality of Service (QoS) is a network security mechanism, a technology used to solve the problems of network delay and
congestion.
DiffServ refers to the differentiated service model, which is a typical model implemented by QoS for classifying service
streams to provide differentiated services.
Bandwidth, Rate
Bandwidth refers to the maximum allowable data rate, which refers to the rate threshold in this document. Packets whose
rates exceed the threshold will be discarded.
The rate indicates an actual data rate. When the rate of packets exceeds the bandwidth, packets out of the limit will be
discarded. The rate must be equal to or smaller than the bandwidth.
The bandwidth and rate units in this document are packets per second (pps).
L2, L3, L4
L2 refers to layer-2 headers, namely, the Ethernet encapsulation part; L3 refers to layer-3 headers, namely, the IP
encapsulation part; L4 refers to layer-4 headers, usually, the TCP/UDP encapsulation part.
Priority Queue, SP
Packets are cached inside a switch and packets in the output direction are cached in queues. Priority queues are mapped to
Strict Priorities (SPs). Queues are not equal but have different priorities.
The SP is a kind of QoS scheduling algorithm. When a higher priority queue has packets, the packets in this queue are
scheduled first. Scheduling refers to selecting packets from queues for output and refers to selecting and sending the
packets to the CPU in this document.
CPU interface
Before sending packets to the CPU, a switch will cache the packets. The process of sending packets to the CPU is similar to
the process of packet output. The CPU interface is a virtual interface. When packets are sent to the CPU, the packets will be
output from this virtual interface. The priority queue and SP mentioned above are based on the CPU interface.
Overview
CPP protects the CPU by using the standard QoS DiffServ model.
12-3
Configuration Guide Configuring CPP
Feature Description
Classfier Classifies packet types and provides assurance for the subsequent implementation of QoS policies.
Meter Limits rates based on packet types and controls the bandwidth for a specific packet type.
Queue Queue packets to be sent to the CPU and select different queues based on packet types.
Scheduler Selects and schedules queues to be sent to the CPU.
Shaper Performs rate limit and bandwidth control on priority queues and the CPU interface.
12.3.1 Classifier
Working Principle
The Classifier classifies all packets to be sent to the CPU based on the L2, L3 and L4 information of the packets. Classifying
packets is the basis for implementing QoS policies. In subsequent actions, different policies are implemented based on the
classification to provide differentiated services. A switch provides fixed classification. The management function classifies
packet types based on the protocols supported by the switch, for example, STP BPDU packets and ICMP packets. Packet
types cannot be customized.
12.3.2 Meter
Working Principle
The Meter limits the rates of different packets based on the preset rate thresholds. You can set different rate thresholds for
different packet types. When the rate of a packet type exceeds the corresponding threshold, the packets out of the limit will
be discarded.
By using the Meter, you can control the rate of a packet type sent to the CPU within a threshold to prevent specific attack
packets from exerting large impacts on the CPU resources. This is the level-1 protection of the CPP.
Related Configuration
By default, each packet type corresponds to a rate threshold (bandwidth) and Meter policies are implemented based on
the rate threshold.
In application, you can run the cpu-protect type packet-type bandwidth bandwidth-value command to set Meter
policies for specified packet types.
12.3.3 Queue
Working Principle
12-4
Configuration Guide Configuring CPP
Queues are used to classify packets at level 2. You can select the same queue for different packet types; meanwhile, queues
cache packets inside switches and provide services for the Scheduler and Shaper.
CPP queues are SP queues. The SPs of the packets are determined based on the time when they are added to a queue.
Packets with a larger queue number have a higher priority.
Related Configuration
In application, you can run the cpu-protect type packet-type traffic-class traffic-class-num command to select SP
queues for specific packet types.
12.3.4 Scheduler
Working Principle
The Scheduler schedules packets based on SPs of queues. That is, packets in a queue with a higher priority are scheduled
first.
Before being scheduled, packets to be sent to the CPU are cached in queues. When being scheduled, the packets are sent
to the CPU for processing.
12.3.5 Shaper
Working Principle
The Shaper is used to shape packets to be sent to the CPU, that is, when the actual rate of packets is greater than the
shaping threshold, the packets must stay in the queue and cannot be scheduled. When packet rates fluctuate, the Shaper
ensures that the rates of packets sent to the CPU are smooth (no more than the shaping threshold).
When the Shaper is available, packets in a queue with a lower priority may be scheduled before all packets in a queue with a
higher priority are scheduled. If the rate of packets in a queue with certain priority exceeds the shaping threshold, scheduling
of the packets in this queue may be stopped temporarily. Therefore, the Shaper can prevent packets in queues with lower
priorities from starvation (which means that only packets in queues with higher priorities are scheduled and packets in
queues with higher priorities are not scheduled).
Since the Shaper limits the scheduling rates of packets, it actually plays the rate limit function. The Shaper provides level-2
rate limit for priority queues and all packets sent to the CPU (CPU interface). The Shaper and Meter functions provide 3-level
rate limit together and provide level-3 protection for the CPU.
Figure 12-3 Level Rate Limit of the CPP
12-5
Configuration Guide Configuring CPP
Related Configuration
In application, you can run the cpu-protect traffic-class traffic-class-num bandwidth bandwidth_value command to
perform Shaper configuration for a specific priority queue.
Run the cpu-protect cpu bandwidth bandwidth_value command to perform Shaper configuration for the CPU
interface.
12.4 Configuration
cpu-protect type packet-type bandwidth Configures the Meter for a packet type.
Configures the priority queue for a packet
Configuring CPP cpu-protect type packet-type traffic-class
type.
cpu-protect traffic-class traffic-class-num
Configures the Shaper for a priority queue.
bandwidth
Configures the Shaper for the CPU
cpu-protect cpu bandwidth
interface.
12-6
Configuration Guide Configuring CPP
By configuring the Meter function, you can set the bandwidth and rate limit for a packet type. Packets out of the limit will
be directly discarded.
By configuring the Queue function, you can select a priority queue for a packet type. Packets in a queue with a higher
priority will be scheduled first.
By configuring the Shaper function, you can set the bandwidth and rate limit for a CPU interface and a priority queue.
Packets out of the limit will be directly discarded.
Notes
Pay special attention when the bandwidth of a packet type is set to a smaller value, which may affect the normal traffic
of the same type. To provide per-user CPP, combine the NFPP function.
When the Meter and Shaper functions are combined, 3-level protection will be provided. Any level protection fights
alone may bring negative effects. For example, if you want to increase the Meter of a packet type, you also need to
adjust the Shaper of the corresponding priority queue. Otherwise, the packets of this type may affect other types of
packets in the same priority queue.
Configuration Steps
You can use or modify the default value but cannot disable it.
You need to modify the configuration in the following cases: when packets of a type are not attackers but are discarded,
you need to increase the Meter of this packet type. If attacks of a packet type cause abnormal CPU running, you need
to decrease the Meter of this packet type.
You can use or modify the default value but cannot disable it.
You need to modify the configuration in the following cases: When attacks of a packet type cause abnormality of other
packets in the same queue, you can put the packet type in an unused queue. If a packet type cannot be discarded but
the packet type is in the same queue with other packet types in use, you can put this packet type in a queue with a
higher priority.
You can use or modify the default value and cannot disable it.
You need to modify the configuration in the following cases: If the Meter value of a packet type is greater which causes
that other packets in the corresponding priority queue do not have sufficient bandwidth, you need to increase the
12-7
Configuration Guide Configuring CPP
Shaper for this priority queue. If attack packets are put in a priority queue and no other packets are in use, you need to
increase the Shaper of this priority queue.
You can use or modify the default value and cannot disable it.
You are not advised to change the Shaper of the CPU interface.
Verification
Modify the configurations when the system runs abnormally, and view the system running after the modification to
check whether the configurations take effect.
Check whether the configurations take effect by viewing corresponding configurations and statistic values. For details,
see the following commands.
Related Commands
12-8
Configuration Guide Configuring CPP
Configuration Example
Scenario ARP, IP, OSPF, dot1x, VRRP, Telnet and ICMP streams are available in the system. In the current
configurations, ARP and 802.1X are in priority queue 2; IP, ICMP and Telnet streams are in priority
queue 4; OSPF streams are in priority queue 3; VRRP streams are in priority queue 6. The Meter for
each packet type is 10,000 pps; the shaper for each priority queue is 20,000 pps; the Shaper for the
CPU interface is 100,000 pps.
ARP attacks and IP scanning attacks exist in the system, which causes abnormal running of the
system, authentication failure, Ping failure, management failure, and OSPF flapping.
Configuration Put ARP attack packets in priority queue 1 and limit the bandwidth for ARP packets or the
Steps corresponding priority queue.
Put OSPF packets in priority queue 5.
Put IP Ping failure attack packets in priority queue 3 and limit the bandwidth for IP packets or the
corresponding priority queue.
Ruijie(config)# end
Verification Run the show cpu-protect command to view the configuration and statistics.
12.5 Monitoring
Clearing
Description Command
Clears the CPP statistics. clear cpu-protect counters [device device_num] [slot slot_num]
12-9
Configuration Guide Configuring CPP
Displaying
Description Command
Displays the configuration and show cpu-protect type packet-type [device device_num] [slot slot_num]
statistics of a packet type.
Displays the configuration and show cpu-protect traffic-class traffic-class-num [device device_num] [slot
statistics of a priority queue. slot_num]
Displays the configuration on a CPU show cpu-protect cpu
interface.
Displays all configurations and show cpu-protect {mboard | summary }
statistics on the master device.
Displays all configurations and show cpu-protect [device device_num] [slot slot_num]
statistics of CPP.
Debugging
N/A
The preceding monitoring commands are available on both chassis and cassette devices in either the standalone mode
or the VSU mode.
If the device and slot values are not specified, the clear command is used to clear the statistics of all nodes in the
system and the show command is used to display the configurations on the master device.
In the standalone mode, the parameter device is unavailable. For chassis devices, the parameter slot is used to
specify a line card; for cassette devices, slot is unavailable.
In the VSU mode, the parameter device indicates a chassis or cassette device. If the device value is not specified, it
indicates the master chassis or the master device. For chassis devices, if the device value is specified the slot value
must also be specified to identify a line card in a chassis; for cassette devices, slot is unavailable.
12-10
Configuration Guide Configuring DHCP Snooping
13.1 Overview
DHCP Snooping: DHCP Snooping snoops DHCP interactive packets between clients and servers to record and monitor
users' IP addresses and filter out illegal DHCP packets, including client request packets and server response packets. The
legal user database generated from DHCP Snooping records may serve security applications like IP Source Guard.
13.2 Applications
Application Description
Guarding against DHCP service In a network with multiple DHCP servers, DHCP clients are allowed to obtain network
spoofing configurations only from legal DHCP servers.
Guarding against DHCP packet Malicious network users may frequently send DHCP request packets.
flooding
Guarding against forged DHCP Malicious network users may send forged DHCP request packets, for example,
packets DHCP-RELEASE packets.
Guarding against IP/MAC spoofing Malicious network users may send forged IP packets, for example, tampered source
address fields of packets.
Preventing Lease of IP Addresses Network users may lease IP addresses rather than obtaining them from a DHCP
server.
Detecting ARP attack Malicious users forge ARP response packets to intercept packets during normal
users' communication.
Multiple DHCP servers may exist in a network. It is essential to ensure that user PCs obtain network configurations only from
the DHCP servers within a controlled area.
Take the following figure as an example. The DHCP client can only communicate with trusted DHCP servers.
Request packets from the DHCP client can be transmitted only to trusted DHCP servers.
Only the response packets from trusted DHCP servers can be transmitted to the client.
Figure 13-1
13-1
Configuration Guide Configuring DHCP Snooping
Deployment
Potential malicious DHCP clients in a network may send high-rate DHCP packets. As a result, legitimate users cannot obtain
IP addresses, and access devices are highly loaded or even break down. It is necessary to take actions to ensure network
stability.
With the DHCP Snooping rate limit function for DHCP packets, a DHCP client can only send DHCP request packets at a rate
below the limit.
The request packets from a DHCP client are sent at a rate below the limit.
Enable DHCP Snooping correlation with ARP, and delete the non-existing entries.
Deployment
13-2
Configuration Guide Configuring DHCP Snooping
Enable DHCP Snooping correlation with ARP, and detect whether the user is online.
Potential malicious clients in a network may forge DHCP request packets, consuming applicable IP addresses from the
servers and probably preempting legal users' IP addresses. Therefore, it is necessary to filter out illegal DHCP packets.
For example, as shown in the figure below, the DHCP request packets sent from DHCP clients will be checked.
The source MAC address fields of the request packets from DHCP clients must match the chaddr fields of DHCP
packets.
The Release packets and Decline packets from clients must match the entries in the DHCP Snooping binding
database.
Figure 13-2
Deployment
Enable DHCP Snooping Source MAC Verification on untrusted ports of S to filter out illegal packets.
13-3
Configuration Guide Configuring DHCP Snooping
Check IP packets from untrusted ports to filter out forged IP packets based on IP or IP-MAC fields.
For example, in the following figure, the IP packets sent by DHCP clients are validated.
The source IP address fields of IP packets must match the IP addresses assigned by DHCP.
The source MAC address fields of layer-2 packets must match the chaddr fields in DHCP request packets from clients.
Figure 13-3
Deployment
Enable IP Source Guard in IP-MAC based mode to check the source MAC and IP address fields of IP packets.
Validate the source addresses of IP packets from untrusted ports compared with DHCP-assigned addresses.
If the source addresses, connected ports, and layer-2 source MAC addresses of ports in IP packets do not match the
assignments of the DHCP server, such packets will be discarded.
The networking topology scenario is the same as that shown in the previous figure.
13-4
Configuration Guide Configuring DHCP Snooping
Deployment
Check the ARP packets from untrusted ports and filter out the ARP packets unmatched with the assignments of the DHCP
server.
For example, in the following figure, the ARP packets sent from DHCP clients will be checked.
The ports receiving ARP packets, the layer-2 MAC addresses, and the source MAC addresses of ARP packets senders
shall be consistent with the DHCP Snooping histories.
Figure 13-4
Deployment
Enable IP Source Guard and ARP Check on all the untrusted ports on S to realize ARP packet filtering.
All the above security control functions are only effective to DHCP Snooping untrusted ports.
13-5
Configuration Guide Configuring DHCP Snooping
13.3 Features
Basic Concepts
Request packets are sent from a DHCP client to a DHCP server, including DHCP-DISCOVER packets, DHCP-REQUEST
packets, DHCP-DECLINE packets, DHCP-RELEASE packets and DHCP-INFORM packets.
Response packets are sent from a DHCP server to a DHCP client, including DHCP-OFFER packets, DHCP-ACK packets
and DHCP-NAK packets.
IP address request interaction is complete via broadcast. Therefore, illegal DHCP services will influence normal clients'
acquisition of IP addresses and lead to service spoofing and stealing. To prevent illegal DHCP services, DHCP Snooping
ports are divided into two types: trusted ports and untrusted ports. The access devices only transmit DHCP response packets
received on trusted ports, while such packets from untrusted ports are discarded. In this way, we may configure the ports
connected to a legal DHCP Server as trusted and the other ports as untrusted to shield illegal DHCP Servers.
On switches, all switching ports or layer-2 aggregate ports are defaulted as untrusted, while trusted ports can be specified.
To shield all the DHCP packets on a specific client, we can enable DHCP Snooping packet suppression on its untrusted
ports.
DHCP Snooping can work on a VLAN basis. By default, when DHCP Snooping is enabled, it is effective to all the VLANs of
the current client. Specify VLANs help control the effective range of DHCP Snooping flexibly.
In a DHCP network, clients may set static IP addresses randomly. This increases not only the difficulty of network
maintenance but also the possibility that legal clients with IP addresses assigned by the DHCP server may fail to use the
network normally due to address conflict. Through snooping packets between clients and servers, DHCP Snooping
summarizes the user entries including IP addresses, MAC address, VLAN ID (VID), ports and lease time to build the DHCP
Snooping binding database. Combined with ARP detection and ARP check, DHCP Snooping controls the reliable
assignment of IP addresses for legal clients.
DHCP Snooping rate limit function can be configured through the rate limit command of Network Foundation Protection
Policy (NFPP). For NFPP configuration, see the Configuring NFPP.
DHCP Option82
13-6
Configuration Guide Configuring DHCP Snooping
DHCP Option82, an option for DHCP packets, is also called DHCP Relay Agent Information Option. As the option number is
82, it is known as Option82. Option82 is developed to enhance the security of DHCP servers and improve the strategies of IP
address assignment. The option is often configured for the DHCP relay services of a network access device like DHCP Relay
and DHCP Snooping. This option is transparent to DHCP clients, and DHCP relay components realize the addition and
deduction of the option.
Through DHCP Snooping, validation is performed on the DHCP packets passing through a client. Illegal DHCP packets are
discarded, user information is recorded into the DHCP Snooping binding database for further applications (for example, ARP
detection). The following types of packets are considered illegal DHCP packets.
The DHCP response packets received on untrusted ports, including DHCP-ACK, DHCP-NACK and DHCP-OFFER
packets
The DHCP request packets carrying gateway information giaddr, which are received on untrusted ports
When MAC verification is enabled, packets with source MAC addresses different with the value of the chaddr field in
DHCP packets
DHCP-RELEASE packets with the entry in the DHCP Snooping binding database Snooping while with untrusted ports
inconsistent with settings in this binding database
Overview
Feature Description
Filtering DHCP Perform legality check on DHCP packets and discard illegal packets (see the previous section for the
packets introduction of illegal packets). Transfer requests packets received on trusted ports only.
Building the DHCP Snoop the interaction between DHCP clients and the server, and generate the DHCP Snooping
Snooping binding binding database to provide basis for other filtering modules.
database
Working Principle
During snooping, check the receiving ports and the packet fields of packets to realize packet filtering, and modify the
destination ports of packets to realize control of transmit range of the packets.
Checking Ports
In receipt of DHCP packets, a client first judges whether the packet receiving ports are DHCP Snooping trusted ports. If yes,
legality check and binding entry addition are skipped, and packets are transferred directly. For not, both the check and
addition are needed.
13-7
Configuration Guide Configuring DHCP Snooping
A client checks whether packets are UDP packets and whether the destination port is 67 or 68. Check whether the packet
length match the length field defined in protocols.
According to the types of illegal packet introduced in the section "Basic Concepts", check the fields giaddr and chaddr in
packets and then check whether the restrictive conditions for the type of the packet are met.
Related Configuration
Global DHCP Snooping must be enabled before VLAN-based DHCP Snooping is applied.
By default, when global DHCP Snooping is effective, DHCP Snooping is effective to all VLANs.
Use the [ no ] ip dhcp snooping vlan command to enable DHCP Snooping on specified VLANs or delete VLANs from the
specified VLANs. The value range of the command parameter is the actual range of VLAN numbers.
By default, the layer-2 MAC addresses of packets and the chaddr fields of DHCP packets are not verified.
When the ip dhcp snooping verify mac-address command is used, the source MAC addresses and the chaddr fields of
the DHCP request packets sent from untrusted ports are verified. The DHCP request packets with different MAC addresses
will be discarded.
Working Principle
During snooping, the binding database is updated timely based on the types of DHCP packets.
When a DHCP-ACK packet on a trusted port is snooped, the client's IP address, MAC address, and lease time field are
extracted together with the port ID (a wired interface index) and VLAN ID. Then, a binding entry of it is generated.
13-8
Configuration Guide Configuring DHCP Snooping
When the recorded lease time of a binding entry is due, it will be deleted if a legal DHCP-RELEASE/DHCP-DECLINE packet
sent by the client or a DHCP-NCK packet received on a trusted port is snooped, or the clear command is used.
Related Configuration
13.4 Configuration
13-9
Configuration Guide Configuring DHCP Snooping
Notes
The ports on clients connecting a trusted DHCP server must be configured as trusted.
DHCP Snooping is effective on the wired switching ports, layer-2 aggregate ports, and layer-2 encapsulation
sub-interfaces. The configuration can be implemented in interface configuration mode.
DHCP Snooping and DHCP Relay are mutually exclusive in VRF scenarios.
Configuration Steps
Mandatory.
Mandatory.
This configuration is required if the chaddr fields of DHCP request packets match the layer-2 source MAC addresses of
data packets.
Unless otherwise noted, the feature should be enabled on all the untrusted ports of access devices.
Enable this feature to timely save the DHCP Snooping binding database information in case that client reboot.
Optional
13-10
Configuration Guide Configuring DHCP Snooping
Optional.
Optional.
Verification
Check whether the DHCP Snooping Binding database is generated with entries on the client.
Related Commands
13-11
Configuration Guide Configuring DHCP Snooping
Mode
Usage Guide Use this command to reject all DHCP request packets at the port, that is, to forbid all users under the port to
apply for addresses via DHCP.
13-12
Configuration Guide Configuring DHCP Snooping
Mode
Usage Guide Use this command to import the information from backup file to the DHCP Snooping binding database.
13-13
Configuration Guide Configuring DHCP Snooping
packets of new users are forwarded and obtain addresses, but DHCP Snooping does not record binding
entries of new users.
Configuration Example
Scenario
Figure 13-5
13-14
Configuration Guide Configuring DHCP Snooping
Common Errors
Another access security option is already configured for the uplink port, so that a DHCP trusted port cannot be
configured.
Enable a DHCP server to obtain more information and assign addresses better.
Notes
The Opion82 functions for DHCP Snooping and DHCP Relay are mutually exclusive.
Configuration Steps
Unless otherwise noted, enable this function on access devices with DHCP Snooping enabled.
Verification
Check whether the DHCP Snooping configuration options are configured successfully.
Related Commands
13-15
Configuration Guide Configuring DHCP Snooping
Usage Guide Use this command to add Option82 to DHCP request packets so that a DHCP server assigns addresses
according to such information.
When dot1x-format is used, if DHCP Relay is configured on the local device and the uplink port connected to
the DHCP Server is an SVI port, DHCP Snooping needs to be disabled in the VLAN to which the SVI port
belongs.
Command [ no ] ip dhcp snooping information option format remote-id { string ASCII-string | hostname }
Parameter string ASCII-string: Indicates the content of the extensible format, the Option82 option remote-id, is a
Description user-defined character string
hostname: Indicates the content of the extensible format, the Option82 option remote-id, is a host name.
Configuration Global configuration mode
mode
Usage Guide Use this command to configure the sub-option remote-id of the Option82 as user-defined content, which is
added to DHCP request packets. A DHCP server assigns addresses according to Option82 information.
Command [ no ] ip dhcp snooping vlan vlan-id information option format-type circuit-id string ascii-string
Parameter vlan-id: Indicates the VLAN where a DHCP request packet is
Description ascii-string: Indicates the user-defined string
Configuration Interface configuration mode
mode
Usage Guide Use this command to configure the sub-option circuit-id of the Option82 as user-defined content, which is
added to DHCP request packets. A DHCP server assigns addresses according to Option82 information.
Configuration Example
13-16
Configuration Guide Configuring DHCP Snooping
Common Errors
N/A
13.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears dynamic user inforamtion of clear ip dhcp snooping binding [ ip ] [ mac ] [ vlan vlan-id ] [ interface
DHCP Snooping database. interface-id ]
Displaying
Description Command
Displays DHCP Snooping show ip dhcp snooping
configuration.
Displays the DHCP Snooping binding show ip dhcp snooping binding
database.
Debugging
System resources are occupied when debugging information is output. Disable the debugging switch immediately after
use.
13-17
Configuration Guide Configuring DHCP Snooping
Description Command
Debugs DHCP Snooping events. debug snooping ipv4 event
Disables debugging DHCP Snooping
no debug snooping ipv4 event
events.
Debugs DHCP Snooping packets. debug snooping ipv4 packet
Disables debugging DHCP Snooping
no debug snooping ipv4 packet
packets.
Enables debugging MAC-based DHCP
debug snooping ipv4 mac-address H.H.H
Snooping.
Disables debugging MAC-based DHCP
no debug snooping ipv4 mac-address H.H.H
Snooping.
Enables debugging all DHCP Snooping debug snooping ipv4 all
Disables debugging all DHCP
no debug snooping ipv4 all
Snooping
13-18
Configuration Guide Configuring DHCPv6 Snooping
14.1 Overview
DHCPv6 Snooping: Dynamic Host Configuration Protocol version 6 (DHCPv6) snooping enables recording and monitoring of
IPv6 address usage by snooping DHCPv6 packets exchanged between the client and the server, and filters illegal DHCPv6
packets, including request packets from the client and response packets from the server. The user data entries generated by
DHCPv6 snooping recording can serve security applications such as IPv6 Source Guard.
14.2 Applications
Application Description
Prevention of DHCPv6 Spoofing There is more than one DHCPv6 server on the network, and DHCPv6 clients can
obtain network configuration parameters only from legal DHCPv6 servers.
Prevention of Forged DHCPv6 Malicious users on the network frequently send DHCPv6 request packets.
Packet Attacks
Prevention of Forged DHCPv6 Malicious users on the network send forged DHCPv6 request packets such as
Packet Attacks DHCPv6 release packets.
Prevention of IPv6/MAC Spoofing Malicious users on the network send forged IPv6 request packets that temper the
source address fields.
Prevention of Unauthorized IPv6 Users do not obtain IPv6 addresses from the DHCPv6 server as required and
Configuration configure IPv6 addresses without authorization.
There may exist more than one DHCPv6 server on the network, and it is necessary to ensure that user PCs obtain network
configuration parameters only from the controlled DHCPv6 servers.
As shown in the following figure, the DHCPv6 client only communicates with trusted DHCPv6 servers.
The request packets from the DHCPv6 client are transmitted only to a trusted DHCPv6 server.
Only the response packets from the trusted DHCPv6 server can be transmitted to the client.
14-1
Configuration Guide Configuring DHCPv6 Snooping
Figure 14-1
Deployment
Enable DHCPv6 snooping on the access device S for DHCPv6 packet monitoring.
Set the port connecting the access device S to the DHCPv6 server B as a DHCPv6 trusted port to forward response
packets.
Set the other ports of the access device S as DHCPv6 untrusted ports to filter response packets.
There may exist malicious users on the network who forge DHCPv6 request packets. The packets not only consume
available IPv6 addresses of the server but may also snatch IPv6 addresses from legal users. Therefore, such packets on the
network must be filtered.
As shown in the following figure, the DHCPv6 request packets sent by the DHCPv6 client will be checked.
Release packets and decline packets from the client must match those recorded in the internal snooping database.
14-2
Configuration Guide Configuring DHCPv6 Snooping
Figure 14-2
Deployment
Set the port connecting the access device S to the DHCPv6 server as a DHCPv6 trusted port to forward response
packets.
Set the other ports of the access device S as DHCPv6 untrusted ports to filter DHCPv6 packets.
When checking IPv6 packets from the untrusted port, you may check IP address fields only or IP+MAC fields to filter forged
IPv6 packets.
As shown in the following figure, IPv6 packets sent from the DHCPv6 client will be checked.
The source address fields of IPv6 packets must match IPv6 addresses assigned by the DHCPv6 client.
The source Media Access Control (MAC) addresses of Layer-2 packets must match the client MAC addresses in
DHCPv6 request packets of the client.
14-3
Configuration Guide Configuring DHCPv6 Snooping
Figure 14-3
Deployment
Set all downstream ports on the access device S as DHCPv6 untrusted ports.
Enable IPv6 Source Guard on the access device S to filter IPv6 packets.
On the access device S, set the match mode of IPv6 Source Guard as IPv6+MAC to check both MAC fields and IPv6
fields of IPv6 packets.
When checking IPv6 packets from untrusted ports, you need to check whether source IPv6 addresses of the packets are
consistent with the IPv6 addresses assigned by the DHCPv6.
If the source IPv6 addresses, connection ports, or Layer-2 MAC addresses of IPv6 packets fail to match the assignment
records of the DHCPv6 server snooped by the device, the packets should be discarded.
The operating process of the device in the scenario is the same as that in the preceding figure.
Deployment
14-4
Configuration Guide Configuring DHCPv6 Snooping
14.3 Features
Basic Concepts
A DHCPv6 request packet is the packet sent from the DHCPv6 client to the DHCPv6 server. It includes DHCPv6 solicit
packet, DHCPv6 request packet, DHCPv6 confirm packet, DHCPv6 rebind packet, DHCPv6 release packet, DHCPv6
decline packet, DHCPv6 renew packet, DHCPv6 inform-req packet, and DHCPv6 leasequery packet.
A DHCPv6 response packet is the packet sent from the DHCPv6 server to the DHCPv6 client. It includes DHCPv6 advertise
packet, DHCPv6 reply packet, DHCPv6 reconfigure packet, DHCPv6 relay-reply packet, DHCPv6 leasequery-reply packet,
DHCPv6 leasequery-done packet, and DHCPv6 leasequery-data packet.
As the interactive packets used by DHCPv6 to obtain IPv6 addresses or prefixes are multicast packets, there may exist
illegal DHCPv6 services affecting IPv6 acquisition, and user information may even be stolen by such illegal services. To
prevent such issues, DHCPv6 snooping classifies ports into trusted and untrusted ports, and the devices forwards only the
DHCPv6 response packets received by the trusted port and discards all DHCPv6 response packets from the untrusted port.
By setting the ports connected to a legal DHCPv6 server as trusted ports and the others as untrusted ports, illegal DHCPv6
servers will be shielded.
On a switch, all switch ports or Layer-2 aggregate ports (APs) are untrusted ports by default, which can be configured as
trusted ports.
When DHCPv6 packets are disabled for an individual user, any DHCPv6 packets sent from the user's device shall be
shielded. DHCPv6 request packet filtering can be configured on an untrusted port to filter all DHCPv6 request packets
received by the port.
DHCPv6 snooping takes effect in the unit of VLAN. If DHCPv6 snooping is enabled by default, the function is enabled on all
VLANs of the device. The VLAN on which DHCPv6 snooping takes effect can be flexibly controlled through configuration.
On a DHCPv6 network, a frequently encountered problem is that users may arbitrarily set static IPv6 addresses. Such
addresses are difficult to maintain and may conflict with legal user addresses, making the users unable to access the Internet.
By snooping the packets exchanged between the client and the server, DHCPv6 snooping forms IPv6 information obtained
by users, user MAC, VID, PORT, and lease time into a user record, thus making a DHCPv6 snooping user database to
control legal use of IPv6 addresses.
14-5
Configuration Guide Configuring DHCPv6 Snooping
When managing user IP addresses, some network administrators expect to determine the IP addresses to be assigned
according to the user locations; that is, they expect to assign IP addresses to users according to the information on the
connected network devices, thereby adding user-related device information to DHCP request packets through DHCPv6
option while performing DHCPv6 snooping. The option number for RFC3315 is 18; the option number for RFC4649, the
option number used is 37. After the content of Option 18 and Option 37 is parsed on the DHCPv6 server, the server can
obtain information of more users according to the content uploaded by Option 18 and option 37 so as to assign IP addresses
more accurately.
The default content of Interface ID include the number of the VLAN to which the port receiving request packets from the
DHCPv6 client belongs, and the port index (the values of the port index are the slot number and port number); the extension
content is a customized character string. Default and extension fillings take effect only for wired interfaces, including switch
ports, Layer-2 APs, or Layer-2 encapsulation sub-interfaces.
The Interface ID filling format can be classified into standard and extension formats, only one of which can be used on the
same network. When the standard filling format is used, only default content can be filled in for sub-options of Interface ID, as
shown in the following figure:
Figure 14-4
To use customized content, the extension filling format can be used. The content filled in by extension can be default or
extension content. To distinguish between the content, add a content type field and a content length field of one byte
respectively following the sub-option length. For default content, set the content type as 0; for extension content, set the
content type as 1.
Figure 14-5
14-6
Configuration Guide Configuring DHCPv6 Snooping
Figure 14-6
The default content of Remote ID is the bridge MAC address of the DHCPv6 relay that receives request packets from the
DHCPv6 client, and the extension content is a customized character string.
The Remote ID filling format can be classified into standard and extension formats, only one of which can be used on the
same network. When the standard filling format is used, only default content are filled in for sub-options of Remote ID, as
shown in the following figure:
Figure 14-7
To use customized content, the extension filling format can be used. The content filled in by extension can be default or
extension content. To distinguish between the content, add a content type field and a content length field of one byte
respectively following the sub-option length. For default content, set the content type as 0; for extension content, set the
content type as 1.
Figure 14-8
14-7
Configuration Guide Configuring DHCPv6 Snooping
Figure 14-9
Note
Option 18: The values of port index for Interface ID are the slot number and port number. The port can be a wired switch port,
Layer-2 AP, or Layer-2 encapsulation sub-interface. The port number refers to the sequence number of the port in the slot.
The port number of a Layer-2 AP is an AP number. For example, the port number of Fa0/10 is 10, the port number of AP 11
is 11;
Slot numbers are the sequence numbers of all slots on a device (one device in stack mode). The slot number of an AP is the
last one. The sequence numbers of slots start from 0. Run the show slots command to display the numbers. For example:
Example 1:
Dev Slot
--- ----
Example 2:
14-8
Configuration Guide Configuring DHCPv6 Snooping
Dev Slot
--- ----
DHCPv6 snooping checks the validity of DHCPv6 packets passing through the device, discards illegal DHCPv6 packets,
records user information, and generates a DHCPv6 snooping binding database for query of other functions. The following
packets are considered as illegal DHCPv6 packets.
DHCPv6 response packets received by untrusted ports. For details, see the section DHCPv6 Response Packet.
Relayed DHCPv6 packets received by untrusted ports, namely DHCPv6 relay-forw packets and DHCPv6 relay-reply
packets.
DHCPv6 relay-reply packets received by trusted ports. The egress for these packets is an untrusted ports according to
the entry.
DHCPv6 release packets; no corresponding users are found in the DHCPv6 snooping user database according to the
Layer-2 source MAC and VID of these packets.
DHCPv6 release packets. The IPv6 addresses or prefixes of these packets do not exist in the DHCPv6 snooping user
database.
DHCPv6 release packets. The IPv6 addresses or prefixes of these packets all exist in the DHCPv6 snooping user
database but the untrusted ports of DHCPv6 release packets are inconsistent with those untrusted ports in the DHCPv6
snooping user database.
Overview
Features Description
Filtering Illegal Checks the validity of exchanged DHCPv6 packets, and discards illegal packets (see the preceding
DHCPv6 Packets section for instructions for illegal packets). Forwards only legal response packets to trusted ports.
Establishing a User Snoops interaction between the client and the server, and generates the DHCPv6 snooping user
Database database to provide a basis for other security filtering modules.
14-9
Configuration Guide Configuring DHCPv6 Snooping
Working Principle
During snooping, the receipt ports of packets and packet fields are checked to filter the packets; the destination ports of
packets are modified to control the transmission scope of packets.
Checking Ports
When receiving DHCPv6 packets, the device first determines whether the port receiving packets is a DHCPv6 trusted port. If
the port is a trusted port, the packets will be forwarded without validity check, binding, or prefix record generation. If the port
is an untrusted port, validity check is required.
Check whether the packets are User Datagram Protocol (UDP) packets and the destination port is 546 or 547. Check
whether the actual length of a packet matches the length field described in the protocol.
Checking Whether DHCPv6 Packet Field and Packet Type are Correct
Check whether the packets are relayed according to the types of illegal packets described in the preceding section Basic
Concepts, and then check whether the restrictions specific to a type of packets are met according to the actual type of
packets.
Related Configuration
Run the [ no ] ipv6 dhcp snooping command to enable or disable DHCPv6 snooping.
To enable or disable DHCPv6 snooping on different VLANs, global DHCPv6 snooping must be enabled first.
By default, when global DHCPv6 snooping is enabled, DHCPv6 snooping takes effect on all VLANs.
Run the [ no ] ipv6 dhcp snooping vlan command to enable or disable DHCPv6 snooping on a VLAN. The range of
command parameter values is the actual range of VLAN numbers.
14-10
Configuration Guide Configuring DHCPv6 Snooping
Working Principle
During snooping, binding database and prefix database are continuously updated according to the types of DHCPv6
packets.
When DHCPv6 reply packets are snooped on a trusted port, client IPv6 addresses or prefixes, client MAC addresses, and
lease time fields of the packets are extracted, and a binding or prefix record is generated according to the client port ID
recorded by the device (wired interface index), and the client VLAN.
When the recorded lease time is over, or the legal DHCPv6 release/DHCPv6 decline packets sent from the client are
snooped, or users run the clear command to delete binding or prefix records, the corresponding binding or prefix records are
deleted.
Related Configuration
14.4 Configuration
14-11
Configuration Guide Configuring DHCPv6 Snooping
Notes
The port connecting the device to a trusted DHCPv6 server must be set as a trusted port.
The port on which DHCPv6 snooping takes effect can be a wired switch port, Layer-2 AP or Layer-2 encapsulation
sub-interface. Configuration on a port can be classified into configuration in interface mode.
The Link Down entry clearing function applies only to wired ports.
14-12
Configuration Guide Configuring DHCPv6 Snooping
Configuration Steps
Mandatory.
Configure the function if assignment needs to be delayed. Assignment is not delayed by default.
This function should be enabled if DHCPv6 snooping binding records need to be maintained after the device is
restarted.
Mandatory.
Set the port connecting the device to a trusted DHCPv6 device as a DHCPv6 trusted port.
Enabling and Disabling Clearing of Dynamically Bound Entries When the Port is Configured into Link Down
State
On a stable network, enable the function to release spaces occupied by hardware entries and timely clear the entries on
the Link Down port.
Verification
Check whether user records are generated in the DHCPv6 snooping binding database.
Related Commands
14-13
Configuration Guide Configuring DHCPv6 Snooping
Delaying Assignment of the DHCPv6 Snooping Binding Entries to the Hardware Filtering Entries
14-14
Configuration Guide Configuring DHCPv6 Snooping
Parameter time: Indicates the interval for regularly writing the DHCPv6 snooping database into flash.
Description
Command Global configuration mode
Mode
Usage Guide The DHCPv6 snooping database can be written into a flash file by configuring the command. The function
prevents user information loss after the device restarts. If user information is lost, users have to re-obtain IP
addresses for normal communication.
Configuration Example
Dynamically obtaining IPv6 addresses through the legal DHCPv6 server on a DHCPv6 client
14-15
Configuration Guide Configuring DHCPv6 Snooping
Scenario
Figure 14-10
B(config-if-GigabitEthernet 0/1)#end
14-16
Configuration Guide Configuring DHCPv6 Snooping
B
Ruijie#show ipv6 dhcp snooping
Common Errors
Other access security options are configured on the uplink port, resulting in failure of DHCPv6 trusted port
configuration.
The DHCPv6 server can obtain more information during address assignment, thus improving address assignment.
The option is transparent to the DHCPv6 client, and such function is perception-free to the client.
Configuration Steps
If not specified, enable the function on the device where DHCPv6 snooping is enabled.
Verification
Check the configuration of DHCPv6 snooping to ensure that such function is enabled.
14-17
Configuration Guide Configuring DHCPv6 Snooping
Related Commands
Command [ no ] ipv6 dhcp snooping information option format remote-id { string ASCII-string | hostname }
Parameter string ASCII-string: Indicates that the content of Remote ID in an extension format is a customized
Description character string.
hostname: Indicates that the content of Remote ID in an extension format is hostname.
Command Global configuration mode
Mode
Usage Guide Remote ID is configured in an extension format by configuring the command. Remote ID is customized, and
the DHCPv6 server assigns addresses according to information on Option 37.
Command [ no ] ipv6 dhcp snooping vlan vlan-id information option format-type interface-id string ASCII-string
Parameter vlan-id: Indicates the VLAN to which DHCPv6 request packets belong.
Description ASCII-string: Indicates the user-customized content to be filled in for Interface-ID.
Command Interface configuration mode
Mode
Usage Guide Customized character strings of Interface ID are configured in an extension format by configuring the
command, and the DHCPv6 server assigns addresses according to information on Option 18.
Command [ no ] ipv6 dhcp snooping vlan vlan-id information option change-vlan-to vlan vlan-id
Parameter
vlan-id (the first one): Indicates the VLAN to which DHCPv6 request packets belong.
Description
vlan-id (the second one): Indicates the VLAN after modification.
Command Interface configuration mode
Mode
Usage Guide Interface ID is configured as VLAN mapping in an extension format by configuring the command, and the
DHCPv6 server assigns addresses according to information on Option 18.
14-18
Configuration Guide Configuring DHCPv6 Snooping
Configuration Example
The following example shows how to add Option 18 and Option 37 to DHCPv6 request packets.
Ruijie(config)# end
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears dynamic user information in the clear ipv6 dhcp snooping binding [ vlan vlan-id | mac | ipv6 | interface
DHCPv6 snooping database. interface-id]
Clears all entries in the DHCPv6 clear ipv6 dhcp snooping prefix
snooping prefix database.
Clears statistics about DHCPv6 clear ipv6 dhcp snooping statistics
snooping handling DHCPv6 packets.
Displaying
Description Command
Displays DHCPv6 snooping show ipv6 dhcp snooping
configuration.
14-19
Configuration Guide Configuring DHCPv6 Snooping
Displays the VLANs on which DHCPv6 show ipv6 dhcp snooping vlan
snooping fails to take effect.
Displays all dynamically bound entries show ipv6 dhcp snooping binding
in the DHCPv6 snooping binding
database.
Displays all entries in the DHCPv6 show ipv6 dhcp snooping prefix
snooping prefix database.
Displays the counters of DHCPv6 show ipv6 dhcp snooping statistics
snooping handling packets.
Displays all statically bound entries show ipv6 source binding
added manually and all dynamically
bound entries in the DHCPv6 snooping
binding database.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs DHCPv6 snooping events. debug snooping ipv6 event
Disables debugging of DHCPv6 no debug snooping ipv6 event
snooping events.
Debugs DHCPv6 snooping packets. debug snooping ipv6 packet
Disables debugging of DHCPv6 no debug snooping ipv6 packet
snooping packets.
14-20
Configuration Guide Configuring ARP Check
15.1 Overview
The Address Resolution Protocol (ARP) packet check filters all ARP packets under ports (including wired layer-2 switching
ports, layer-2 aggregate ports (APs), and layer-2 encapsulation sub-interfaces) and discards illegal ARP packets, so as to
effectively prevent ARP deception via networks and to promote network stability. On devices supporting ARP check, illegal
ARP packets in networks will be ignored according to the legal user information (IP-based or IP-MAC based) generated by
security application modules such as IP Source Guard, global IP+MAC binding, 802.1X authentication, GSN binding, Web
authentication and port security.
Figure 15-1
Legal user
information
table
Global IP+MAC
Port security
binding function
The above figure shows that security modules generate legal user information (IP-based or IP-MAC based). ARP Check
uses the information to detect whether the Sender IP fields or the <Sender IP, Sender MAC>fields in all ARP packets at ports
matches those in the list of legal user information. If not, all unlisted ARP packets will be discarded.
15-1
Configuration Guide Configuring ARP Check
15.2 Applications
Application Description
Filtering ARP packets in Networks Illegal users in networks launch attacks using forged ARP packets.
Check ARP packets from distrusted ports and filter out ARP packets with addresses not matching the results assigned by the
DHCP server.
For example, in the following figure, the ARP packets sent by DHCP clients are checked.
The ports receiving ARP packets, the source MAC addresses of ARP packets, and the source IP addresses of ARP
packets shall be consistent with the snooped DHCP-assigned records.
Figure 15-2
Deployment
Enable IP Source Guard and ARP Check on all distrusted ports on S to realize ARP packet filtration.
15.3 Features
Basic Concepts
15-2
Configuration Guide Configuring ARP Check
IP-based: IP-based mode: port security, and static configuration of IP Source Guard.
IP-MAC based: IP-MAC based mode: port security, global IP+MAC binding, 802.1X authorization, IP Source Guard,
GSN binding, and Web authentication.
The ARP Check has two modes: Enabled and Disabled. The default is Enabled.
1. Enabled Mode
Through ARP Check, ARP packets are detected based on the IP/IP-MAC based binding information provided by the
following modules.
802.1X authorization
IP Source Guard
GSN binding
Port security
Web authentication
When only ARP Check is enabled on a port but the above-mentioned modules are not enabled, legal user information
cannot be generated, and thereby all ARP packets from this port will be discarded.
When the ARP Check and VRRP functions are enabled on an interface, if the physical IP address and virtual IP
address of the interface can be used as the gateway address, the physical IP address and VRRP IP address need to be
permitted to pass. Otherwise, ARP packets sent to the gateway will be filtered out.
2. Disabled Mode
Overview
Feature Description
Filtering ARP Check the source IP and source MAC addresses of ARP packets to filter out illegal ARP packets.
Packets
Working Principle
A device matches the source IP and source MAC addresses of the ARP packets received at its ports with the legal user
information of the device. With successful matching, packets will be transferred, or otherwise they will be discarded.
Related Configuration
15-3
Configuration Guide Configuring ARP Check
Unless otherwise noted, this function is usually configured on the ports of access devices.
15.4 Configuration
Notes
When ARP Check is enabled, the number of policies or users of related security applications may decrease.
ARP Check can be enabled only on wired switching ports, layer-2 APs, layer-2 encapsulation sub-interfaces. Enable
ARP check for the wired in interface configuration mode.
Configuration Steps
(Mandatory) The function is disabled by default. To use the ARP Check function, an administrator needs to run a
command to enable it.
Verification
Use the show interface { interface-type interface-number } arp-check list command to display filtering entries.
Related Commands
Command arp-check
15-4
Configuration Guide Configuring ARP Check
Parameter N/A
Description
Command Interface configuration mode
Usage Guide Generate ARP filtration information according to the legal user information of security application modules to
filter out illegal ARP packets in networks.
Configuration Example
The following configuration example introduces only ARP Check related configurations.
Configuration Enable ARP Check. Restricted ARP packets must conform to entries of IP Source Guard, port security,
Steps or global IP+MAC binding.
Ruijie(config)#address-bind install
Ruijie(config-if-GigabitEthernet 0/1)#arp-check
Ruijie(config-if-GigabitEthernet 0/1)#exit
Ruijie(config-if-GigabitEthernet 0/4)#arp-check
Ruijie(config-if-GigabitEthernet 0/4)#exit
Ruijie(config-if-GigabitEthernet 0/5)#arp-check
Ruijie(config-if-GigabitEthernet 0/5)#end
Verification Use the show interface arp-check list command to display the effective ARP Check list for interfaces.
15-5
Configuration Guide Configuring ARP Check
Common Errors
If ARP packets at a port need to be checked but APR-Check is disabled, then APR-Check will not be effective.
15.5 Monitoring
Displaying
Description Command
Displays the effective ARP Check list show interface [ interface-type interface-number ] arp-checklist
based on ports.
15-6
Configuration Guide Configuring Dynamic ARP Inspection
16.1 Overview
Dynamic Address Resolution Protocol (ARP) inspection (DAI) checks the validity of received ARP packets. Invalid ARP
packets will be discarded.
DAI ensures that only valid ARP packets can be forwarded by devices. DAI mainly performs the following steps:
Intercepts all ARP request packets and ARP reply packets on untrusted ports in the virtual local area networks (VLANs)
where the DAI function is enabled.
Checks the validity of intercepted ARP packets according to user records stored in a security database.
Discards the ARP packets that do not pass the validity check.
Sends the ARP packets that pass the validity check to the destination.
The DAI validity criteria are the same as those of ARP Check. For details, see the Configuring ARP Check.
DAI and ARP Check have same functions. The only difference is that DAI takes effect by VLAN whereas ARP Check takes
effect by port.
16.2 Applications
Application Description
ARP Spoofing Prevention Prevent ARP spoofing that is mounted by taking advantage of ARP defects.
Due to inherent defects, ARP does not check the validity of received ARP packets. Attackers can take advantage of the
defects to mount ARP spoofing. A typical example is man-in-the-middle (MITM) attack. See Figure 16-1.
16-1
Configuration Guide Configuring Dynamic ARP Inspection
Figure 16-1
When User A needs to initiate network layer communication with User B, User A broadcasts an ARP request in the subnet to
query the MAC address of User B. Upon receiving the ARP request packet, User B updates its ARP cache with IP A and
MAC A, and sends an ARP reply. Upon receiving the ARP reply packet, User A updates its ARP cache with IP B and MAC B.
In this model, User C can make the ARP entry mapping between User A and User B incorrect by continuously broadcasting
ARP reply packets to the network. The reply packets contain IP A, IP B, and MAC C, After receiving these reply packets,
User A stores the ARP entry (IP B, MAC C), and User B stores the ARP entry (IP A, MAC C). As a result, the communication
between User A and User B is directed to User C, without the knowledge of User A and User B. Here User C acts as the man
in the middle by modifying received packets and forwarding them to User A or User B.
If Device S is enabled with DAI, it will filter out forged ARP packets to prevent ARP spoofing as long as the IP addresses of
User A and User B meet the validity criteria described in section 16.1 Overview. Figure 16-2 shows the working process of
DAI.
Figure 16-2
16-2
Configuration Guide Configuring Dynamic ARP Inspection
The ARP packets of User A and User B are forwarded normally by Device S. The forged ARP packets of User C are
discarded because the packets do not match the records in the security database of Device S.
Deployment
16.3 Features
Basic Concepts
ARP packet check is performed according to the trust status of ports. DAI considers packets received from trusted ports as
valid without checking their validity, but it checks the validity of packets received from untrusted ports.
For a typical network configuration, you should configure Layer-2 ports connected to network devices as trusted ports, and
configure Layer-2 ports connected to hosts as untrusted ports.
Network communication may be affected if a Layer-2 port connected to a network device is configured as an untrusted
port.
Overview
Feature Description
Invalid ARP Packet Filter Checks the source IP addresses and MAC addresses of ARP packets to filter out
invalid packets.
DAI Trusted Port Permits the ARP packets received from specific ports to pass through without
checking their validity.
Working Principle
16-3
Configuration Guide Configuring Dynamic ARP Inspection
Upon receiving an ARP packet, the device matches the IP address and MAC address of the packet with the valid user
records in its security database. If the packet matches a record, it will be forwarded normally. If it does not match any record,
it will be discarded.
DAI and ARP Check use the same set of valid user records. For details, see the packet validity check description in the
Configuring ARP Check.
Related Configuration
Run the ip arp inspection vlan vlan-id command to enable DAI in a specific VLAN.
After DAI is enabled in a VLAN, DAI may not take effect on all ports in the VLAN. A DHCP Snooping trusted port does
not perform DAI check.
After DAI is enabled in a VLAN, you can run the no ip arp inspection vlan vlan-id command to disable DAI.
Disabling DAI in a VLAN does not mean disabling packet validity check on all ports in the VLAN. The ports with ARP
Check effective still check the validity of received ARP packets.
Working Principle
The validity of ARP packets received from trusted ports is not checked. The ARP packets received from untrusted ports are
checked against the user records in a security database.
Related Configuration
Run the ip arp inspection trust command to set ports to trusted state.
A port already enabled with access security control cannot be set to DAI trusted state. To set the port to DAI trusted
state, first disable access security control.
In normal cases, uplink ports (ports connected to network devices) can be configured as DAI trusted ports.
16-4
Configuration Guide Configuring Dynamic ARP Inspection
16.4 Configuration
Notes
Configuration Steps
Optional.
Perform this configuration when you need to enable ARP packet validity check on all ports in a VLAN.
Optional.
It is recommended to configure uplink ports as DAI trusted ports after DAI is enabled. Otherwise, the uplink ports
enabled with other security features and set to trusted state accordingly may filter out valid ARP packets due to the
absence of DAI user entries.
For details, see the rate limit command description in the Configuring the NFPP.
Verification
Construct invalid ARP packets by using a packet transfer tool and check whether the packets are filtered out on
DAI-enabled devices.
Related Commands
16-5
Configuration Guide Configuring Dynamic ARP Inspection
Enabling DAI
Configuration Example
Allowing Users' PCs to Use only Addresses Allocated by a DHCP Server to Prevent ARP Spoofing
Scenario
Figure 16-3
Configuration
Enable DHCP Snooping on the access switch (Switch A) and configure its uplink port (GigabitEthernet
Steps
0/3) connected to the valid DHCP server as a trusted port.
Enable DAI.
Switch A
A#configure terminal
A(config)#vlan 2
16-6
Configuration Guide Configuring Dynamic ARP Inspection
A(config-vlan)#exit
A(config-if-range)#exit
Verification Check whether DHCP Snooping, IP Source Guard, and DAI are enabled and whether trusted ports are
configured correctly.
Check whether the uplink port on Switch A is a DHCP Snooping trusted port.
Check whether DAI is enabled successfully in the VLAN and the uplink ports are DAI trusted ports.
Switch A
A#show running-config
Common Errors
16.5 Monitoring
Displaying
Description Command
Displays the DAI state of a specific show ip arp inspection vlan [ vlan-id | word ]
VLAN.
Displays the DAI configuration state show ip arp inspection interface
of each Layer-2 port.
16-7
Configuration Guide Configuring IP Source Guard
17.1 Overview
The IP Source Guard function realizes hardware-based IP packet filtering to ensure that only the users having their
information in the binding database can access networks normally, preventing users from forging IP packets.
17.2 Applications
Application Description
Guarding Against IP/MAC Spoofing In network environments, users set illegal IP addresses and malicious users launch
Attack attacks through forging IP packets.
Check the IP packets from DHCP untrusted ports. Forged IP packets will be filtered out based on the IP or IP-MAC field.
For example, in the following figure, the IP packets sent by DHCP clients are checked.
The Source MAC Address fields of layer-2 packets should match the MAC addresses in DHCP request packets from
clients.
Figure 17-1
Deployment
17-1
Configuration Guide Configuring IP Source Guard
Enable IP–MAC match mode for IP Source Guard on S, filtering IP packets based on IP and MAC addresses.
17.3 Features
Basic Concepts
Source IP Address
IP-based Filtering
Indicate a policy of IP packet filtering, where only the source IP addresses of all IP packets (except DHCP packets) passing
through a port are checked. It is the default filtering policy of IP Source Guard.
A policy of IP packet filtering, where both the source IP addresses and source MAC addresses of all IP packets are checked,
and only those user packets with these IP addresses and MAC addresses existing in the binding database are permitted.
As the basis of security control of the IP Source Guard function, the data in the address binding database comes from two
ways: the DHCP Snooping binding database and static configuration. When IP Source Guard is enabled, the data of the
DHCP Snooping binding database is synchronized to the address binding database of IP Source Guard, so that IP packets
can be filtered strictly through IP Source Guard on a device with DHCP Snooping enabled.
Excluded VLAN
By default, when IP Source Guard is enabled on a port, it is effective to all the VLANs under the port. Users may specify
excluded VLANs, within which IP packets are not checked and filtered, which means that such IP packets are not controlled
by IP Source Guard. At most 32 excluded VLANs can be specified for a port.
Overview
Feature Description
Checking Source Address Filter the IP packets passing through ports by IP-based or IP-MAC based filtering.
Fields of Packets
17-2
Configuration Guide Configuring IP Source Guard
Working Principle
When IP Source Guard is enabled, the source addresses of packets passing through a port will be checked. The port can be
a wired switching port, a layer-2 aggregate port (AP), or a layer-2 encapsulation sub-interface. Such packets will pass the
port only when the source address fields of the packets match the set of the address binding records generated by DHCP
Snooping, or the static configuration set by the administrator. There are two matching modes as below.
IP-based Filtering
Packets are allowed to pass a port only if the source IP address fields of them belong to the address binding database.
Packets are allowed to pass a port only when both the layer-2 source MAC addresses and layer-3 source IP addresses of
them match an entry in the address binding database.
Packets within such a VLAN are allowed to pass a port without check or filtering.
Related Configuration
Usually IP Source Guard needs to work with DHCP Snooping. Therefore, DHCP Snooping should also be enabled.
DHCP Snooping can be enabled at any time on Ruijie devices, either before or after IP Source Guard is enabled.
By default, legal users passing IP Source Guard check are all from the binding database of DHCP Snooping.
Excluded VLANs may be specified which are exempted from IP Source Guard using the ip verify source exclude-vlan
command.
Excluded VLANs can be specified only after IP Source Guard is enabled on a port. Specified excluded VLANs will be
deleted automatically when IP Source Guard is disabled on a port.
17-3
Configuration Guide Configuring IP Source Guard
The above-mentioned port can be a wired switching port, a layer-2 AP port or a layer-2 encapsulation sub-interface.
17.4 Configuration
Notes
When IP Source Guard is enabled, IP packets forwarding may be affected. In general case, IP Source Guard is enabled
together with DHCP Snooping.
IP Source Guard cannot be configured on the trusted ports controlled by DHCP Snooping.
IP Source Guard can be configured and enabled only on wired switch ports, Layer-2 AP ports and Layer-2
encapsulation sub-ports. In a wired access scenario, it is supposed to be configured in the interface configuration mode.
Configuration Steps
Verification
Use the monitoring commands to display the address binding database of IP Source Guard.
Related Commands
17-4
Configuration Guide Configuring IP Source Guard
Usage Guide Detection of users based on IP address or both IP and MAC addresses can be realized by enabling IP
Source Guard for a port.
Command ip source binding mac-address { vlan vlan-id } ip-address { interface interface-id | ip-mac | ip-only }
Parameter mac-address: The MAC address of a static binding
Description vlan-id: The VLAN ID of a static binding. It indicates the outer VLAN ID of a QINQ-termination user.
ip-address: The IP address of a static binding
interface-id: The Port ID (PID) of a static binding
ip-mac: IP-MAC based mode
ip-only: IP-based mode
Configuration Global configuration mode
Mode
Usage Guide Through this command, legitimate users can pass IP Source Guard detection instead of being controlled by
DHCP.
Configuration Example
17-5
Configuration Guide Configuring IP Source Guard
Ruijie(config)# end
Ruijie(config-if)# end
Common Errors
17.5 Monitoring
Displaying
17-6
Configuration Guide Configuring IP Source Guard
Description Command
Displays the address filtering table of show ip verify source [interface interface-id]
IP Source Guard.
Displays the address binding show ip source binding
database of IP Source Guard.
17-7
Configuration Guide Configuring IPv6 Source Guard
18.1 Overview
IPv6 Source Guard binding allows IPv6 packets to be filtered by hardware so as to ensure that only the users having
corresponding information in the IPv6 packet hardware filtering database can access the Internet, thus preventing users from
configuring IP addresses without authorization or fabricating IPv6 packets.
18.2 Applications
Application Description
Prevention of IPv6/MAC Spoofing There are malicious users on a network who fabricate IPv6 packets to launch an
attack.
When checking the IPv6 packets from the untrusted DHCPv6 ports, you may check IPv6 fields only or IPv6+MAC fields,
thereby filtering fabricated IPv6 packets.
As shown in the following figure, IPv6 packets sent from the Dynamic Host Configuration Protocol version 6 (DHCPv6) client
will be checked.
The source address fields of IPv6 packets must match IPv6 addresses assigned by the DHCPv6 client.
The source media access control (MAC) addresses of Layer-2 packets must match those assigned by DHCPv6
Snooping to hardware filtering records.
Figure 18-1
18-1
Configuration Guide Configuring IPv6 Source Guard
Deployment
Set all the downstream interfaces on the access device S as untrusted DHCPv6 ports.
On the access device S, enable IPv6 Source Guard for IPv6 packet filtering.
On the access device S, set the match mode of IPv6 Source Guard as IPv6+MAC for checking MAC fields and IPv6
fields of IPv6 packets.
18.3 Features
Basic Concepts
Source IPv6
Source MAC
The source IPv6-based filtering policy checks only the source IPv6 addresses of all IPv6 packets (except DHCP packets)
passing through the interface. The source IPv6-based filtering policy is the default filtering policy of IPv6 Source Guard.
The source IPv6-based filtering policy checks the source IPv6+source MAC of all IPv6 packets, and only the user packets
saved in the database for binding user records are allowed to pass through.
The database for binding user records is the basis for IPv6 Source Guard security control. Currently, the data in the database
binding user records come from the following two sources. One is the DHCPv6 Snooping binding database. After IPv6
Source Guard is enabled, the information in the DHCPv6 Snooping binding database is synchronized to the user binding
database of IPv6 Source Guard so that IPv6 Source Guard can filter the IPv6 packets of the client on the device where
DHCPv6 Snooping is enabled. The other is users' static configuration.
Overview
18-2
Configuration Guide Configuring IPv6 Source Guard
Feature Description
Checking the Source Filters the IPv6 packets passing through the interface based on source IPv6 or source IPv6+source
Address Fields of MAC.
Packets
Working Principle
After IPv6 Source Guard is enabled, the device checks the source addresses of the packets passing through the port. The
port can be a wired switch port, Layer-2 aggregate port (AP) or Layer-2 encapsulation sub interface. Only the packets whose
source address fields match the user binding record set generated by DHCPv6 Snooping or the user set statically configured
by the administrator can pass through the port. There are two matching methods:
If IPv6 fields of a packet belong to the identity association in the user binding records, the packet is allowed to pass through
the port.
Only when Layer-2 MAC and Layer-3 IPv6 of a packet completely match a certain record in the set of authenticated users
can the packet pass through the port.
Related Configuration
IPv6 Source Guard of the port can be enabled or disabled by running the ipv6 verify source command.
Typically, DHCPv6 Snooping is used together with IPv6 Source Guard , so DHCPv6 Snooping needs to be enabled.
Timing for enabling DHCPv6 Snooping is not limited on Ruijie devices. You can enable DHCPv6 Snooping before or
after IPv6 Source Guard is enabled.
By default, all sets of authenticated users checked by IPv6 Source Guard are from the bound users of DHCPv6 Snooping.
Run the ipv6 source binding command to add extra user binding records.
18.4 Configuration
18-3
Configuration Guide Configuring IPv6 Source Guard
Notes
IPv6 Source Guard is based on DHCPv6 Snooping; that is to say, interface-based IPv6 Source Guard takes effect only
on the untrusted ports controlled by DHCPv6 Snooping. If configured on trusted ports or the interfaces on VLANs not
controlled by DHCPv6 Snooping, the function will not take effect.
Configuration Steps
Verification
Use the monitoring command provided by the device to view the user filtering entries of IPv6 Source Guard.
Related Commands
Command ipv6 source binding mac-address vlan vlan-id ipv6-address { interface interface-id | ip-mac | ip-only }
Parameter mac-address: Indicates the MAC address of a statically added user.
Description vlan-id: Indicates the VLAN ID of a statically added user.
ipv6-address: Indicates the IPv6 addresses of a statically added user.
interface-id: Indicates the wired access interface for a statically added user.
ip-mac: Indicates that the global binding mode is IPv6+MAC binding mode.
ip-only: Indicates that the global binding mode is IPv6 binding mode only.
18-4
Configuration Guide Configuring IPv6 Source Guard
Configuration Example
Ruijie(config-ipv6-nacl)# exit
Ruijie(config)# end
18-5
Configuration Guide Configuring IPv6 Source Guard
GigabitEthernet 0/5
Common Errors
18.5 Monitoring
Displaying
Description Command
Displays information on the IPv6 show ipv6 source binding
source address binding database.
18-6
Configuration Guide Configuring Gateway-targeted ARP Spoofing Prevention
19.1 Overview
Gateway-targeted Address Resolution Protocol (ARP) spoofing prevention effectively prevents gateway-targeted ARP
spoofing by checking on the logical port whether the source IP addresses of ARP packets (Sender IP fields of ARP packets)
are the self-configured gateway IP addresses.
19.2 Applications
Application Description
Typical Application of Blocks ARP spoofing packets with forged gateway address and intranet server IP
Gateway-targeted ARP Spoofing addresses to ensure that users can access the Internet.
Prevention
PC users access the office server through the access device Switch A, and connect to external networks through the
gateway.
If any users legally use forged gateway IP addresses or server IP addresses to perform ARP spoofing, the other users
cannot access the Internet and the server.
The ARP spoofing packets with forged gateway address and intranet server IP addresses must be blocked to ensure
that users can access the Internet.
19-1
Configuration Guide Configuring Gateway-targeted ARP Spoofing Prevention
Deployment
On the access switch (Switch A), enable gateway-targeted spoofing prevention on the ports (Gi 0/3 and Gi 0/4 in this
case) directly connected to the PC. The gateway addresses include intranet gateway address and intranet server
address.
19.3 Features
Basic Concepts
ARP
ARP is a TCP/IP protocol that obtains physical addresses according to IP addresses. Its function is as follows: The host
broadcasts ARP requests to all hosts on the network and receives the returned packets to determine physical addresses of
the target IP addresses, and saves the IP addresses and hardware addresses in the local ARP cache, which can be directly
queried in response to future requests. On the same network, all the hosts using the ARP are considered as mutually trustful
to each other. Each host on the network can independently send ARP response packets; the other hosts receive the
response packets and record them in the local ARP cache without detecting their authenticity. In this way, attackers can send
forged ARP response packets to target hosts so that the messages sent from these hosts cannot reach the proper host or
reach a wrong host, thereby causing ARP spoofing.
When User A sends an ARP packet requesting the media access control (MAC) address of a gateway, User B on the same
VLAN also receives this packet, and User B can send an ARP response packet, passing off the gateway IP address as the
source IP address of the packet, and User B's MAC address as the source MAC address. This is called gateway-targeted
19-2
Configuration Guide Configuring Gateway-targeted ARP Spoofing Prevention
ARP spoofing. After receiving the ARP response, User A regards User B's machine as the gateway, so all the packets sent
from User A to the gateway during communication will be sent to User B. In this way, User A's communications are
intercepted, thereby causing ARP spoofing.
Overview
Feature Description
Gateway-targeted Blocks ARP spoofing packets with forged gateway address and intranet server IP addresses to
ARP Spoofing ensure that users can access the Internet.
Prevention
Gateway-targeted ARP spoofing prevention effectively prevents ARP spoofing aimed at gateways by checking on the logical
port whether the source IP addresses of ARP packets are the self-configured gateway IP addresses. If an ARP packet uses
the gateway address as the source IP address, the packet will be discarded to prevent users from receiving wrong ARP
response packets. If not, the packet will not be handled. In this way, only the devices connected to the switch can send ARP
packets, and the ARP response packets sent from the other PCs which pass for the gateway are filtered by the switch.
Related Configuration
Run the anti-arp-spoofing ip command to configure the gateway-targeted ARP spoofing prevention addresses.
19.4 Configuration
Optional.
Configuring
Gateway-targeted Spoofing Configures gateway-targeted ARP spoofing
Prevention anti-arp-spoofing ip prevention on the logical port and specifies
the gateway IP address.
Configuration Steps
19-3
Configuration Guide Configuring Gateway-targeted ARP Spoofing Prevention
Verification
Run the show anti-arp-spoofing command to display all data on gateway-targeted ARP spoofing prevention.
Related Commands
Configuration Example
Scenario
Figure 19-2
PC users access the office server through the access device Switch A, and connect external networks
through the gateway. If any users legally use forged gateway IP addresses or server IP addresses to
perform ARP spoofing, the other users cannot access the Internet or the server. The ARP spoofing packets
with forged gateway address and intranet server IP addresses must be blocked to ensure that users can
access the Internet.
19-4
Configuration Guide Configuring Gateway-targeted ARP Spoofing Prevention
Configuration Enable gateway-targeted spoofing prevention on the port directly connected to the PC.
Steps
Verification Run the show anti-arp-spoofing command to check for data on gateway-targeted ARP spoofing
prevention.
SwitchA#show anti-arp-spoofing
NO PORT IP STATUS
19.5 Monitoring
Displaying
Description Command
Displays all data on show anti-arp-spoofing
gateway-targeted ARP spoofing
prevention.
19-5
Configuration Guide Configuring NFPP
20 Configuring NFPP
20.1 Overview
Malicious attacks are always found in the network environment. These attacks bring heavy burdens to switches, resulting in
high CPU usage and operational troubles. These attacks are as follows:
Denial of Service (DoS) attacks may consume lots of memory, entries, or other resources of a switch, which will cause
system service termination.
Massive attack traffic is directed to the CPU, occupying the entire bandwidth of the CPU. In this case, normal protocol traffic
and management traffic cannot be processed by the CPU, causing protocol flapping or management failure. The forwarding
in the data plane will also be affected and the entire network will become abnormal.
A great number of attack packets directed to the CPU consume massive CPU resources, making the CPU highly loaded and
thereby influencing device management and performance.
NFPP can effectively protect the system from these attacks. Facing attacks, NFPP maintains the proper running of various
system services with a low CPU load, thereby ensuring the stability of the entire network.
20.2 Applications
Application Description
Due to various malicious attacks such as ARP attacks and IP scanning attacks in the
network, the CPU cannot process normal protocol and management traffics, causing
Attack Rate Limiting
protocol flapping or management failure. The NFPP attack rate limiting function is
used to limit the rate of attack traffic or isolate attack traffic to recover the network.
If normal service traffics are too large, you need to classify and prioritize the traffics.
When a large number of packets are directed to the CPU, the CPU will be highly
CentralizedBandwidth Allocation loaded, thereby causing device management or device running failure. The
centralized bandwidth distribution function is used to increase the priority of such
traffics so that switches can run stably.
NFPP supports attack detection and rate limiting for various types of packets, including Address Resolution Protocol (ARP),
Internet Control Message Protocol (ICMP), and Dynamic Host Configuration Protocol (DHCP) packets. It also allows users to
define packet matching characteristics and corresponding attack detection and rate limiting policies. The attack rate limiting
20-1
Configuration Guide Configuring NFPP
function takes effect based on types of packets. This section uses ARP packets as an example scenario to describe the
application.
If an attacker floods ARP attack packets while CPU capability is insufficient, most of the CPU resources will be consumed for
processing these ARP packets. If the rate of attacker's ARP packet rates exceeds the maximum ARP bandwidth specified in
the CPU Protect Policy (CPP) of the switch, normal ARP packets may be dropped. As shown in Figure 20-1, normal hosts
will fail to access the network, and the switch will fail to send ARP replies to other devices.
Figure 20-1
Deployment
By default, the ARP attack detection and rate limiting function is enabled with corresponding policies configured. If the
rate of an attacker's ARP packets exceeds the rate limit, the packets are discarded. If it exceeds the attack threshold, a
monitoring user is generated and prompt information is exported.
If the rate of an attacker's ARP packets exceeds the rate limit defined in CPP and affects normal ARP replies, you can
enable attack isolation to discard ARP attack packets based on the hardware and recover the network.
For details about CPP-related configurations, see the Configuring CPU Protection.
To maximize the use of NFPP guard functions, modify the rate limits of various services in CPP based on the
application environment or use the configurations recommended by the system. You can run the show cpu-protect
summary command to display the configurations.
A switch classifies services defined in CPP into three types: Manage, Route, and Protocol. Each type of services has an
independent bandwidth. Different types of services cannot share their bandwidths. Traffics with bandwidths exceeding the
thresholds will be discarded. By such service classification, service packets are processed by orders of precedence.
As shown in Figure 20-2, the switch receives a large number of Telnet packets, OSPF packets, and ARP packets, causing
CPU overload. In this case, the CPU cannot process all packets, and a large quantity of packets are backlogged in the queue,
causing various problems such as frequent Telnet disconnection, OSPF protocol flapping, and ARP access failure on hosts.
20-2
Configuration Guide Configuring NFPP
Figure 20-2
Deployment
By default, CPU centralized bandwidth allocation is enabled to assign an independent bandwidth and bandwidth ratio to
each type of services. At the time, the CPU first processes Telnet packets to ensure uninterrupted connection of Telnet
service, and then processes OSPF packets to maintain OSPF protocol stability, and finally processes ARP packets.
If the preceding problems still occur in default configurations, you can accordingly adjust the bandwidths and bandwidth
ratios of various types of services.
20.3 Features
Basic Concepts
ARP Guard
In local area networks (LANs), IP addresses are mapped to MAC addresses through ARP, which has a significant role in
safeguarding network security. ARP-based DoS attacks mean that a large number of unauthorized ARP packets are sent to
the gateway through the network, causing the failure of the gateway to provide services for normal hosts. To prevent such
attacks, limit the rate of ARP packets and identify and isolate the attack source.
IP Guard
Many hacker attacks and network virus intrusions start from scanning active hosts in the network. Therefore, many scanning
packets rapidly occupy the network bandwidth, causing network communication failure.
To solve this problem, Ruijie Layer-3 switches provide IP guard function to prevent hacker scanning and Blaster Worm
viruses and reduce the CPU load. Currently, there are mainly two types of IP attacks:
Scanning destination IP address changes: As the greatest threat to the network, this type of attacks not only consumes
network bandwidth and increases device load but also is a prelude of most hacker attacks.
20-3
Configuration Guide Configuring NFPP
Sending IP packets to non-existing destination IP addresses at high rates: This type of attacks is mainly designed for
consuming the CPU load. For a Layer-3 device, if the destination IP address exists, packets are directly forwarded by the
switching chip without occupying CPU resources. If the destination IP address does not exist, IP packets are sent to the CPU,
which then sends ARP requests to query the MAC address corresponding to the destination IP address. If too many packets
are sent to the CPU, CPU resources will be consumed. This type of attack is less destructive than the former one.
To prevent the latter type of attack, limit the rate of IP packets and find and isolate the attack source.
ICMP Guard
ICMP is a common approach to diagnose network failures. After receiving an ICMP echo request from a host, the router or
switch returns an ICMP echo reply. The preceding process requires the CPU to process the packets, thereby definitely
consuming part of CPU resources. If an attacker sends a large number of ICMP echo requests to the destination device,
massive CPU resources on the device will be consumed heavily, and the device may even fail to work properly. This type of
attacks is called ICMP flood. To prevent this type of attacks, limit the rate of ICMP packets and find and isolate the attack
source.
DHCP Guard
DHCP is widely used in LANs to dynamically assign IP addresses. It is significant to network security. Currently, the most
common DHCP attack, also called DHCP exhaustion attack, uses faked MAC addresses to broadcast DHCP requests.
Various attack tools on the Internet can easily complete this type of attack. A network attacker can send sufficient DHCP
requests to use up the address space provided by the DHCP server within a period. In this case, authorized hosts will fail to
request DHCP IP addresses and thereby fail to access the network. To prevent this type of attacks, limit the rate of DHCP
packets and find and isolate the attack source.
DHCPv6 Guard
DHCP version 6 (DHCPv6) is widely used in LANs to dynamically assign IPv6 addresses. Both DHCP version 4 (DHCPv4)
and DHCPv6 have security problems. Attacks to DHCPv4 apply also to DHCPv6. A network attacker can send a large
number of DHCPv6 requests to use up the address space provided by the DHCPv6 server within a period. In this case,
authorized hosts will fail to request IPv6 addresses and thereby fail to access the network. To prevent this type of attacks,
limit the rate of DHCPv6 packets and find and isolate the attack source.
ND Guard
Neighbor Discovery (ND) is mainly used in IPv6 networks to perform address resolution, router discovery, prefix discovery,
and redirection. ND uses five types of packets: Neighbor Solicitation (NS), Neighbor Advertisement (NA), Router Solicitation
(RS), Router Advertisement (RA), and Redirect. These packets are called ND packets.
Self-Defined Guard
There are various types of network protocols, including routing protocols such as Open Shortest Path First (OSPF) and
Routing Information Protocol (RIP). Various devices need to exchange packets through different protocols. These packets
must be sent to the CPU and processed by appropriate protocols. Once the network device runs a protocol, it is like opening
a window for attackers. If an attacker sends a large number of protocol packets to a network device, massive CPU resources
will be consumed on the device, and what's worse, the device may fail to work properly.
20-4
Configuration Guide Configuring NFPP
Since various protocols are being continuously developed, protocols in use vary with the user environments. Ruijie devices
hereby provide self-defined guard. Users can customize and flexibly configure guard types to meet guard requirements in
different user environments.
Overview
Feature Description
Host-based Rate Limiting
Limits the rate according to the host-based rate limit and identify host attacks in the network.
and Attack Identification
Port-based Rate Limiting
Limits the rate according to the port-based rate limit and identify port attacks.
and Attack Identification
Monitoring Period Monitors host attackers in a specified period.
Isolation Period Uses hardware to isolate host attackers or port attackers in a specified period.
Trusted Hosts Trusts a host by not monitoring it.
Centralized
Classifies and prioritizes packets.
BandwidthAllocation
Identify IP scanning.
Working Principle
Hosts can be identified in two ways: based on the source IP address, VLAN ID, and port and based on the link-layer source
MAC address, VLAN ID, and port. Each host has a rate limit and an attack threshold (also called alarm threshold). The rate
limit must be lower than the attack threshold. If the attack packet rate exceeds the rate limit of a host, the host discards the
packets beyond the rate limit. If the attack packet rate exceeds the attack threshold of a host, the host identifies and logs the
host attacks, and sends traps.
ARP scanning attack may have occurred if ARP packets beyond the scanning threshold received in the configured period
meet either of the following conditions:
The link-layer source MAC address is fixed but the source IP address changes.
The link-layer source MAC address and source IP address are fixed but the destination IP address continuously
changes.
Among IP packets beyond the scanning threshold received in the configured period, if the source IP address remains the
same while the destination IP address continuously changes, IP scanning attack may have occurred.
When NFPP detects a specific type of attack packets under a service, it sends a trap to the administrator. If the attack
traffic persists, NFPP will not resend the alarm until 60 seconds later.
To prevent CPU resource consumption caused by frequent log printing, NFPP writes attack detection logs to the buffer,
obtains them from the buffer at a specified rate, and prints them. NFPP does not limit the rate of traps.
20-5
Configuration Guide Configuring NFPP
Related Configuration
Configuring the Global Host-based Rate Limit, Attack Threshold, and Scanning Threshold
Run the arp-guard rate-limit {per-src-ip | per-src-mac} pps command to configure rate limits of hosts identified based on
the source IP address, VLAN ID, and port and hosts identified based on the link-layer source MAC address, VLAN ID, and
port.
Run the arp-guard attack-threshold {per-src-ip | per-src-mac} pps command to configure attack thresholds of hosts
identified based on the source IP address, VLAN ID, and port and hosts identified based on the link-layer source MAC
address, VLAN ID, and port.
Run the arp-guard scan-threshold pkt-cnt command to configure the ARP scanning threshold.
Configuring Host-based Rate Limit and Attack Threshold, and Scanning Threshold on an Interface
Run the nfpp arp-guard policy {per-src-ip | per-src-mac} rate-limit-pps attack-threshold-pps command to configure rate
limits and attack thresholds of hosts identified based on the source IP address, VLAN ID, and port and hosts identified based
on the link-layer source MAC address, VLAN ID, and port on an interface.
Run the nfpp arp-guard scan-threshold pkt-cnt command to configure the scanning threshold on an interface.
Each port has a rate limit and an attack threshold. The rate limit must be lower than the attack threshold. If the packet rate
exceeds the rate limit on a port, the port discards the packets. If the packet rate exceeds the attack threshold on a port, the
port logs the attacks and sends traps.
Related Configuration
Run the arp-guard rate-limit per-port pps command to configure the rate limit of a port.
Run the arp-guard attack-threshold per-port pps command to configure the attack threshold of a port.
20-6
Configuration Guide Configuring NFPP
Run the nfpp arp-guard policy per-port rate-limit-pps attack-threshold-pps command to configure the rate limit and attack
threshold of a port.
The monitoring user provides information about attackers in the current system. If the isolation period is 0 (that is, not
isolated), the guard module automatically performs software monitoring on attackers in the configured monitoring period. If
the isolation period is set to a non-zero value, the guard module automatically isolates the hosts monitored by software.
During software monitoring, if the isolation period is set to a non-zero value, the guard module automatically isolates the
attacker and sets the timeout period as the isolation period.
Related Configuration
Run the arp-guard monitor-period seconds command to configure the monitoring period.
Isolation is performed by the guard policies after attacks are detected. Isolation is implemented using the filter of the
hardware to ensure that these attacks will not be sent to the CPU, thereby ensuring proper running of the device.
Hardware isolation supports two modes: host-based and port-based isolation. At present, only ARP guard supports
port-based hardware isolation.
A policy is configured in the hardware to isolate attackers. However, hardware resources are limited. When hardware
resources are used up, the system prints logs to notify the administrator.
Related Configuration
Run the arp-guard isolate-period [seconds | permanent] command to configure the isolation period. If the isolation period
is set to 0, isolation is disabled. If it is set to a non-zero value, the value indicates the isolation period. If it is set to permanent,
ARP attacks are permanently isolated.
20-7
Configuration Guide Configuring NFPP
Run the nfpp arp-guard isolate-period [seconds | permanent] command to configure the isolation period. If the isolation
period is set to 0, isolation is disabled. If it is set to a non-zero value, the value indicates the isolation period. If it is set to
permanent, ARP attacks are permanently isolated.
Run the arp-guard ratelimit-forwarding enable command to enable port-based ratelimit forwarding.
At present, only ARP guard supports the configuration of isolate forwarding and ratelimit forwarding.
If you do not want to monitor a host, you can run related commands to trust the host. This trusted host will be allowed to send
packets to the CPU.
Related Configuration
Run the trusted-host {mac mac_mask | ip mask | IPv6/prefixlen} command to trust a host for a self-defined guard.
Services defined in CPP are classified into three types: Manage, Route, and Protocol. (For details, see the following table.)
Each type of service has an independent bandwidth. Different types of services cannot share their bandwidths. Traffics
exceeding the bandwidth thresholds are discarded. By such service classification, service packets are processed by orders
of precedence.
NFPP allows the administrator to flexibly assign bandwidth for three types of packets based on the actual network
environment so that Protocol and Manage packets can be first processed. Prior processing of Protocol packets ensures
proper running of protocols, and prior processing of Manage packets ensures proper management for the administrator,
thereby ensuring proper running of important device functions and improving the guard capability of the device.
20-8
Configuration Guide Configuring NFPP
After classified rate limiting, all types of packets are centralized in a queue. When one type of service is processed
inefficiently, packets of this service will be backlogged in the queue and may finally use up resources of the queue. NFPP
allows the administrator to configure the percentages of these three types of packets in the queue. When the queue length
occupied by one type of packets exceeds the value of the total queue length multiplied by the percentage of this packet type,
the excessive packets will be discarded. This efficiently prevents one type of packets from exclusively occupying queue
resources.
For the definitions of service types, see the Configuring CPU Protection.
Related Configuration
Run the cpu-protect sub-interface { manage | protocol|route} pps pps_value command to configure the maximum
bandwidth of specified packets.
Run the cpu-protect sub-interface { manage | protocol | route} percent percent_value command to configure the
maximum percentage of specified packets in the queue.
20.4 Configuration
20-9
Configuration Guide Configuring NFPP
20-10
Configuration Guide Configuring NFPP
20-11
Configuration Guide Configuring NFPP
ARP attacks are identified based on hosts or ports. Host-based ARP attack identification supports two modes:
identification based on the source IP address, VLAN ID, and port and identification based on the link-layer source MAC
address, VLAN ID, and port. Each type of attack identification has a rate limit and an attack threshold. If the ARP packet
rate exceeds the rate limit, the packets beyond the rate limit are discarded. If the ARP packet rate exceeds the attack
threshold, the system prints alarm information and sends traps. In host-based attack identification, the system also
isolates the attack source.
ARP guard can also detect ARP scanning attacks. ARP scanning attacks indicate that the link-layer source MAC
address is fixed but the source IP address changes, or that the link-layer source MAC address and source IP address
are fixed but the destination IP address continuously changes. Due to the possibility of false positive, hosts possibly
performing ARP scanning are not isolated and are provided for the administrator's reference only.
Configure ARP-guard isolation to assign hardware-isolated entries against host attacks so that attack packets are
neither sent to the CPU nor forwarded.
20-12
Configuration Guide Configuring NFPP
Notes
For a command that is configured both in NFPP configuration mode and interface configuration mode, the configuration
in interface configuration mode takes priority over that configured in NFPP configuration mode.
Isolation is disabled by default. If isolation is enabled, attackers will occupy hardware entries of the security module.
ARP guard prevents only ARP DoS attacks to the switch, but not ARP spoofing or ARP attacks in the network.
For trusted ports configured for Dynamic ARP Inspection (DAI), ARP guard does not take effect, preventing false
positive of ARP traffic over the trusted ports. For details about DAI trusted ports, see the Configuring Dynamic ARP
Inspection.
Configuration Steps
This function can be enabled in NFPP configuration mode or interface configuration mode.
If ARP guard is disabled, the system automatically clears monitored hosts, scanned hosts, and isolated entries on ports.
If the packet traffic of attackers exceeds the rate limit defined in CPP, you can configure the isolation period to discard
packets and therefore to save bandwidth resources.
The isolation period can be configured in NFPP configuration mode or interface configuration mode.
If the isolation period is changed to 0, attackers under the corresponding port is deleted, instead of being monitored.
To make isolation valid only at the management plane instead of the forwarding plane, you can enable this function.
If the port-based isolation entry takes effect, you can enable this function to pass some of the packets while not
discarding all of them.
20-13
Configuration Guide Configuring NFPP
If the ARP-guard isolation period is configured, it is directly used as the monitoring period, and the configured
monitoring period will lose effect.
Set the maximum number of ARP-guard monitored hosts reasonably. As the number of monitored hosts increases,
more CPU resources are used.
The maximum number of ARP-guard monitored hosts can be configured in NFPP configuration mode.
If the number of monitored hosts reaches 20,000 (default value) and the administrator sets the maximum number lower
than 20,000, the system does not delete monitored hosts but prints the log "%ERROR: The value that you configured is
smaller than current monitored hosts 20000, please clear a part of monitored hosts." This information notifies the
administrator that the configuration does not take effect and that some monitored hosts need to be deleted.
If the table of monitored hosts is full, the system prints the log "% NFPP_ARP_GUARD-4-SESSION_LIMIT: Attempt to
exceed limit of 20000 monitored hosts." to notify the administrator.
Mandatory.
To achieve the best ARP-guard effect, you are advised to configure the host-based rate limit and attack threshold
based on the following order: Source IP address-based rate limit < Source IP address-based attack threshold <Source
MAC address-based rate limit <Source MAC address-based attack threshold.
The attack threshold can be configured in NFPP configuration mode or interface configuration mode.
If the configured rate limit is greater than the attack threshold, the system prints the log "%ERROR: rate limit is higher
than attack threshold 500pps." to notify the administrator.
If the configured attack threshold is less than the rate limit, the system prints the log "%ERROR: attack threshold is
smaller than rate limit 300pps." to notify the administrator.
If the memory cannot be allocated to detected attackers, the system prints the log
"%NFPP_ARP_GUARD-4-NO_MEMORY: Failed to alloc memory." to notify the administrator.
Source MAC address-based rate limiting takes priority over source IP address-based rate limiting while the latter takes
priority over port-based rate limiting.
Mandatory.
The scanning threshold can be configured in NFPP configuration mode or interface configuration mode.
The ARP scanning table stores only the latest 256 records. When the ARP scanning table is full, the latest record will
overwrite the earliest record.
20-14
Configuration Guide Configuring NFPP
ARP scanning attack may have occurred if ARP packets received within 10 seconds meet either of the following
conditions:
- The link-layer source MAC address is fixed but the source IP address changes.
- The link-layer source MAC address and source IP address are fixed but the destination IP address continuously
changes, and the change times exceed the scanning threshold.
Verification
When a host in the network sends ARP attack packets to a switch configured with ARP guard, check whether these packets
can be sent to the CPU.
If the packets exceed the attack threshold or scanning threshold, an attack log is displayed.
Related Commands
20-15
Configuration Guide Configuring NFPP
20-16
Configuration Guide Configuring NFPP
Mode
Usage Guide The attack threshold must be equal to or greater than the rate limit.
20-17
Configuration Guide Configuring NFPP
Configuration Example
Scenario ARP host attacks exist in the system, and some hosts fail to properly establish ARP connection.
ARP scanning exists in the system, causing a very high CPU utilization rate.
Configuration Set the host-based attack threshold to 5 pps.
Steps Set the ARP scanning threshold to 10 pps.
Set the isolation period to 180 pps.
Ruijie(config)# nfpp
Verification Run the show nfpp arp-guard summary command to display the configuration.
Run the show nfpp arp-guard hosts command to display the monitored hosts.
Total: 1 host
Run the show nfpp arp-guard scan command to display the scanned hosts.
20-18
Configuration Guide Configuring NFPP
Total: 4 record(s)
Common Errors
N/A
IP attacks are identified based on hosts or physical interfaces. In host-based IP attack identification, IP attacks are
identified based on the source IP address, VLAN ID, and port. Each type of attack identification has a rate limit and an
attack threshold. If the IP packet rate exceeds the rate limit, the packets beyond the rate limit are discarded. If the IP
packet rate exceeds the attack threshold, the system prints alarm information and sends traps. In host-based attack
identification, the system also isolates the attack source.
IP guard can also detect IP scanning attacks. IP anti-scanning applies to IP packet attacks as follows: the destination IP
address continuously changes but the source IP address remains the same, and the destination IP address is not the IP
address of the local device.
Configure IP guard isolation to assign hardware-isolated entries against host attacks so that attack packets are neither
sent to the CPU nor forwarded.
IP anti-scanning applies to IP packet attacks where the destination IP address is not the local IP address. The CPP
limits the rate of IP packets where the destination IP address is the local IP address.
Notes
For a command that is configured both in NFPP configuration mode and interface configuration mode, the configuration
in interface configuration mode takes priority over that configured in NFPP configuration mode.
Isolation is disabled by default. If isolation is enabled, attackers will occupy hardware entries of the security module.
Configuration Steps
Enabling IP Guard
This function can be enabled in NFPP configuration mode or interface configuration mode.
20-19
Configuration Guide Configuring NFPP
If the packet traffic of attackers exceeds the rate limit defined in CPP, you can configure the isolation period to discard
packets and therefore to save bandwidth resources.
The isolation period can be configured in NFPP configuration mode or interface configuration mode.
If the isolation period is changed to 0, attackers under the corresponding port is deleted, instead of being monitored.
If the IP-guard isolation period is configured, it is directly used as the monitoring period, and the configured monitoring
period will lose effect.
Set the maximum number of IP-guard monitored hosts reasonably. As the number of monitored hosts increases, more
CPU resources are used.
The maximum number of IP-guard monitored hosts can be configured in NFPP configuration mode.
If the number of monitored hosts reaches 20,000 (default value) and the administrator sets the maximum number lower
than 20,000, the system does not delete monitored hosts but prints the log "%ERROR: The value that you configured is
smaller than current monitored hosts 20,000, please clear a part of monitored hosts." This information notifies the
administrator that the configuration does not take effect and that some monitored hosts need to be deleted.
If the table of monitored hosts is full, the system prints the log "% NFPP_IP_GUARD-4-SESSION_LIMIT: Attempt to
exceed limit of 20000 monitored hosts." to notify the administrator.
Mandatory.
The attack threshold can be configured in NFPP configuration mode or interface configuration mode.
If the configured rate limit is greater than the attack threshold, the system prints the log "%ERROR: rate limit is higher
than attack threshold 500pps." to notify the administrator.
If the configured attack threshold is less than the rate limit, the system prints the log "%ERROR: attack threshold is
smaller than rate limit 300pps." to notify the administrator.
If the memory cannot be allocated to detected attackers, the system prints the log
"%NFPP_IP_GUARD-4-NO_MEMORY: Failed to alloc memory." to notify the administrator.
Source IP address-based rate limiting takes priority over port-based rate limiting.
20-20
Configuration Guide Configuring NFPP
Mandatory.
The scanning threshold can be configured in NFPP configuration mode or interface configuration mode.
ARP scanning attack may have occurred if ARP packets received within 10 seconds meet the following conditions:
- The source IP address remains the same.
- The destination IP address continuously changes and is not the local IP address, and the change times exceed the
scanning threshold.
For IP guard, you can only configure a maximum of 500 IP addresses not to be monitored.
If any entry matching a trusted host (IP addresses are the same) exists in the table of monitored hosts, the system
automatically deletes this entry.
If the table of trusted hosts is full, the system prints the log "%ERROR: Attempt to exceed limit of 500 trusted hosts." to
notify the administrator.
If a trusted host cannot be deleted, the system prints the log "%ERROR: Failed to delete trusted host 1.1.1.0
255.255.255.0." to notify the administrator.
If a host cannot be trusted, the system prints the log "%ERROR: Failed to add trusted host 1.1.1.0 255.255.255.0." to
notify the administrator.
If the host to trust already exists, the system prints the log "%ERROR: Trusted host 1.1.1.0 255.255.255.0 has already
been configured." to notify the administrator.
If the host to delete from the trusted table does not exist, the system prints the log "%ERROR: Trusted host 1.1.1.0
255.255.255.0 is not found." to notify the administrator.
If the memory cannot be allocated to a trusted host, the system prints the log "%ERROR: Failed to alloc memory." to
notify the administrator.
Verification
When a host in the network sends IP attack packets to a switch configured with IP guard, check whether these packets can
be sent to the CPU.
If the rate of packets from untrusted hosts exceeds the attack threshold or scanning threshold, an attack log is
displayed.
Related Commands
20-21
Configuration Guide Configuring NFPP
20-22
Configuration Guide Configuring NFPP
20-23
Configuration Guide Configuring NFPP
Parameter seconds: Indicates the isolation period in the unit of second. It can be set to 0 or any value from 30 to
Description 86,400. The value 0 indicates no isolation.
permanent: Indicates permanent isolation.
Command Interface configuration mode
Mode
Usage Guide N/A
Configuration Example
Scenario IP host attacks exist in the system, and packets of some hosts cannot be properly routed and
forwarded.
IP scanning exists in the system, causing a very high CPU utilization rate.
Packet traffic of some hosts is very large in the system, and these packets need to pass through.
Configuration Configure the host-based attack threshold.
Steps Configure the IP scanning threshold.
Set the isolation period to a non-zero value.
Configure trusted hosts.
Ruijie(config)# nfpp
20-24
Configuration Guide Configuring NFPP
Verification Run the show nfpp ip-guard summary command to display the configuration.
Run the show nfpp ip-guard hosts command to display the monitored hosts.
Total: 1 host
Run the show nfpp ip-guard trusted-host command to display the trusted hosts.
IP address mask
---------- ----
192.168.201.46 255.255.255.255
Total: 1 record(s)
Common Errors
N/A
ICMP attacks are identified based on hosts or ports. In host-based attack identification, ICMP attacks are identified
based on the source IP address, VLAN ID, and port. Each type of attack identification has a rate limit and an attack
threshold. If the ICMP packet rate exceeds the rate limit, the packets beyond the rate limit are discarded. If the ICMP
packet rate exceeds the attack threshold, the system prints alarm information and sends traps. In host-based attack
identification, the system also isolates the attack source.
Configure ICMP guard isolation to assign hardware-isolated entries against host attacks so that attack packets are
neither sent to the CPU nor forwarded.
20-25
Configuration Guide Configuring NFPP
Notes
For a command that is configured both in NFPP configuration mode and interface configuration mode, the configuration
in interface configuration mode takes priority over that configured in NFPP configuration mode.
Isolation is disabled by default. If isolation is enabled, attackers will occupy hardware entries of the security module.
Configuration Steps
This function can be enabled in NFPP configuration mode or interface configuration mode.
If the packet traffic of attackers exceeds the rate limit defined in CPP, you can configure the isolation period to discard
packets and therefore to save bandwidth resources.
The isolation period can be configured in NFPP configuration mode or interface configuration mode.
If the isolation period is changed to 0, attackers under the corresponding port is deleted, instead of being monitored.
If the ICMP-guard isolation period is configured, it is directly used as the monitoring period, and the configured
monitoring period will lose effect.
Set the maximum number of ICMP-guard monitored hosts reasonably. As the number of actually monitored hosts
increases, more CPU resources are used.
The maximum number of ICMP-guard monitored hosts can be configured in NFPP configuration mode.
If the number of monitored hosts reaches 20,000 (default value) and the administrator sets the maximum number lower
than 20,000, the system does not delete monitored hosts but prints the log "%ERROR: The value that you configured is
smaller than current monitored hosts 20000, please clear a part of monitored hosts." This information notifies the
administrator that the configuration does not take effect and that some monitored hosts need to be deleted.
If the table of monitored hosts is full, the system prints the log "% NFPP_ICMP_GUARD-4-SESSION_LIMIT: Attempt to
exceed limit of 20000 monitored hosts." to notify the administrator.
20-26
Configuration Guide Configuring NFPP
Mandatory.
The attack threshold can be configured in NFPP configuration mode or interface configuration mode.
If the configured rate limit is greater than the attack threshold, the system prints the log "%ERROR: rate limit is higher
than attack threshold 500pps." to notify the administrator.
If the configured attack threshold is less than the rate limit, the system prints the log "%ERROR: attack threshold is
smaller than rate limit 300pps." to notify the administrator.
If the memory cannot be allocated to detected attackers, the system prints the log "%NFPP_
ICMP_GUARD-4-NO_MEMORY: Failed to alloc memory." to notify the administrator.
Source IP address-based rate limiting takes priority over port-based rate limiting.
For ICMP guard, you can only configure a maximum of 500 IP addresses not to be monitored.
If any entry matching a trusted host (IP addresses are the same) exists in the table of monitored hosts, the system
automatically deletes this entry.
If the table of trusted hosts is full, the system prints the log "%ERROR: Attempt to exceed limit of 500 trusted hosts." to
notify the administrator.
If a trusted host cannot be deleted, the system prints the log "%ERROR: Failed to delete trusted host 1.1.1.0
255.255.255.0." to notify the administrator.
If a host cannot be trusted, the system prints the log "%ERROR: Failed to add trusted host 1.1.1.0 255.255.255.0." to
notify the administrator.
If the host to trust already exists, the system prints the log "%ERROR: Trusted host 1.1.1.0 255.255.255.0 has already
been configured." to notify the administrator.
If the host to delete from the trusted table does not exist, the system prints the log "%ERROR: Trusted host 1.1.1.0
255.255.255.0 is not found." to notify the administrator.
If the memory cannot be allocated to a trusted host, the system prints the log "%ERROR: Failed to alloc memory." to
notify the administrator.
Verification
When a host in the network sends ICMP attack packets to a switch configured with ICMP guard, check whether these
packets can be sent to the CPU.
If the rate of packets from an untrusted host exceeds the attack threshold, an attack log is displayed.
Related Commands
20-27
Configuration Guide Configuring NFPP
20-28
Configuration Guide Configuring NFPP
value that you configured is smaller than current monitored hosts 20000, please clear a part of monitored
hosts." This information notifies the administrator that the configuration does not take effect and that some
monitored hosts need to be deleted.
If the table of monitored hosts is full, the system prints the log "% NFPP_ICMP_GUARD-4-SESSION_LIMIT:
Attempt to exceed limit of 20000 monitored hosts." to notify the administrator.
20-29
Configuration Guide Configuring NFPP
Mode
Usage Guide ICMP guard configured in interface configuration mode takes priority over that configured in NFPP
configuration mode.
Configuration Example
Scenario ICMP host attacks exist in the system, and some hosts cannot successfully ping devices.
Packet traffic of some hosts is very large in the system, and these packets need to pass through.
Configuration Configure the host-based attack threshold.
Steps Set the isolation period to a non-zero value.
Configure trusted hosts.
Ruijie(config)# nfpp
Verification Run the show nfpp icmp-guard summary command to display the configuration.
20-30
Configuration Guide Configuring NFPP
Run the show nfpp icmp-guard hosts command to display the monitored hosts.
Total: 1 host
Run the show nfpp icmp-guard trusted-host command to display the trusted hosts.
IP address mask
---------- ----
192.168.201.46 255.255.255.255
Total: 1 record(s)
Common Errors
N/A
DHCP attacks are identified based on hosts or ports. In host-based attack identification, DHCP attacks are identified
based on the link-layer source IP address, VLAN ID, and port. Each type of attack identification has a rate limit and an
attack threshold. If the DHCP packet rate exceeds the rate limit, the packets beyond the rate limit are discarded. If the
DHCP packet rate exceeds the attack threshold, the system prints alarm information and sends traps. In host-based
attack identification, the system also isolates the attack source.
Configure DHCP guard isolation to assign hardware-isolated entries against host attacks so that attack packets are
neither sent to the CPU nor forwarded.
Notes
For a command that is configured both in NFPP configuration mode and interface configuration mode, the configuration
in interface configuration mode takes priority over that configured in NFPP configuration mode.
20-31
Configuration Guide Configuring NFPP
Isolation is disabled by default. If isolation is enabled, attackers will occupy hardware entries of the security module.
For trusted ports configured for DHCP snooping, DHCP guard does not take effect, preventing false positive of DHCP
traffic on the trusted ports. For details about trusted ports of DHCP snooping, see "Configuring Basic Functions of
DHCP Snooping" in the Configuring DHCP Snooping.
Configuration Steps
This function can be enabled in NFPP configuration mode or interface configuration mode.
If the packet traffic of attackers exceeds the rate limit defined in CPP, you can configure the isolation period to discard
packets and therefore to save bandwidth resources.
The isolation period can be configured in NFPP configuration mode or interface configuration mode.
If the isolation period is changed to 0, attackers under the corresponding port is deleted, instead of being monitored.
If the DHCP-guard isolation period is configured, it is directly used as the monitoring period, and the configured
monitoring period will lose effect.
Set the maximum number of DHCP-guard monitored hosts reasonably. As the number of monitored hosts increases,
more CPU resources are used.
The maximum number of DHCP-guard monitored hosts can be configured in NFPP configuration mode.
If the number of monitored hosts reaches 20,000 (default value) and the administrator sets the maximum number lower
than 20,000, the system does not delete monitored hosts but prints the log "%ERROR: The value that you configured is
smaller than current monitored hosts 20000, please clear a part of monitored hosts." This information notifies the
administrator that the configuration does not take effect and that some monitored hosts need to be deleted.
If the table of monitored hosts is full, the system prints the log "% NFPP_DHCP_GUARD-4-SESSION_LIMIT: Attempt
to exceed limit of 20000 monitored hosts." to notify the administrator.
20-32
Configuration Guide Configuring NFPP
Mandatory.
The attack threshold can be configured in NFPP configuration mode or interface configuration mode.
If the configured rate limit is greater than the attack threshold, the system prints the log "%ERROR: rate limit is higher
than attack threshold 500pps." to notify the administrator.
If the configured attack threshold is less than the rate limit, the system prints the log "%ERROR: attack threshold is
smaller than rate limit 300pps." to notify the administrator.
If the memory cannot be allocated to detected attackers, the system prints the log
"%NFPP_DHCP_GUARD-4-NO_MEMORY: Failed to alloc memory." to notify the administrator.
Source MAC address-based rate limiting takes priority over port-based rate limiting.
Verification
When a host in the network sends DHCP attack packets to a switch configured with DHCP guard, check whether these
packets can be sent to the CPU.
If the parameter of the packets exceeds the attack threshold, an attack log is displayed.
Related Commands
20-33
Configuration Guide Configuring NFPP
Parameter seconds: Indicates the monitoring period in the unit of second. The value ranges from 180 to 86,400.
Description
Command NFPP configuration mode
Mode
Usage Guide If the isolation period is 0, the system performs software monitoring on detected attackers. The timeout
period is the monitoring period. During software monitoring, if the isolation period is set to a non-zero value,
the system automatically performs hardware isolation against monitored attackers and sets the timeout
period as the monitoring period. The monitoring period is valid only when the isolation period is 0.
If the isolation period is changed to 0, attackers under the corresponding port is deleted, instead of being
monitored.
20-34
Configuration Guide Configuring NFPP
Mode
Usage Guide N/A
Configuration Example
Scenario DHCP host attacks exist in the system, and some hosts fail to request IP addresses.
Configuration Configure the host-based attack threshold.
Steps Set the isolation period to a non-zero value.
Ruijie(config)# nfpp
20-35
Configuration Guide Configuring NFPP
Verification Run the show nfpp dhcp-guard summary command to display the configuration.
Run the show nfpp dhcp-guard hosts command to display the monitored hosts.
Total: 1 host
Common Errors
N/A
DHCPv6 attacks are identified based on hosts or ports. In host-based attack identification, DHCPv6 attacks are
identified based on the link-layer source IP address, VLAN ID, and port. Each type of attack identification has a rate limit
and an attack threshold. If the DHCPv6 packet rate exceeds the rate limit, the packets beyond the rate limit are
discarded. If the DHCPv6 packet rate exceeds the attack threshold, the system prints alarm information and sends
traps.
In host-based attack identification, the system also isolates the attack source.
Notes
For a command that is configured both in NFPP configuration mode and interface configuration mode, the configuration
in interface configuration mode takes priority over that configured in NFPP configuration mode.
Isolation is disabled by default. If isolation is enabled, attackers will occupy hardware entries of the security module.
For trusted ports configured for DHCPv6 snooping, DHCPv6 guard does not take effect, preventing false positive of
DHCPv6 traffic on the trusted ports. For details about trusted ports of DHCPv6 snooping, see "Configuring Basic
Functions of DHCPv6 Snooping" in the Configuring DHCPv6 Snooping.
20-36
Configuration Guide Configuring NFPP
Configuration Steps
DHCPv6 guard can be enabled in NFPP configuration mode or interface configuration mode.
If the packet traffic of attackers exceeds the rate limit defined in CPP, you can configure the isolation period to discard
packets and therefore to save bandwidth resources.
The DHCPv6-guard isolation period can be configured in NFPP configuration mode or interface configuration mode.
If the isolation period is changed to 0, attackers under the corresponding port is deleted, instead of being monitored.
If the DHCPv6-guard isolation period is configured, it is directly used as the monitoring period, and the configured
monitoring period does not take effect.
Set the maximum number of DHCPv6-guard monitored hosts reasonably. As the number of monitored hosts increases,
more CPU resources are used.
The maximum number of DHCPv6-guard monitored hosts can be configured in NFPP configuration mode.
If the number of monitored hosts reaches 20,000 (default value) and the administrator sets the maximum number lower
than 20,000, the system does not delete monitored hosts but prints the log "%ERROR: The value that you configured is
smaller than current monitored hosts 20000, please clear a part of monitored hosts." This information notifies the
administrator that the configuration does not take effect and that some monitored hosts need to be deleted.
If the table of monitored hosts is full, the system prints the log "% NFPP_DHCPV6_GUARD-4-SESSION_LIMIT:
Attempt to exceed limit of 20000 monitored hosts." to notify the administrator.
Mandatory.
The DHCPv6-guard attack threshold can be configured in NFPP configuration mode or interface configuration mode.
If the configured rate limit is greater than the attack threshold, the system prints the log "%ERROR: rate limit is higher
than attack threshold 500pps." to notify the administrator.
20-37
Configuration Guide Configuring NFPP
If the configured attack threshold is less than the rate limit, the system prints the log "%ERROR: attack threshold is
smaller than rate limit 300pps." to notify the administrator.
If the memory cannot be allocated to detected attackers, the system prints the log
"%NFPP_DHCPV6_GUARD-4-NO_MEMORY: Failed to alloc memory." to notify the administrator.
Source MAC address-based rate limiting takes priority over port-based rate limiting.
Verification
When a host in the network sends DHCPv6 attack packets to a switch configured with DHCPv6 guard, check whether these
packets can be sent to the CPU.
If the parameter of the packets exceeds the attack threshold, an attack log is displayed.
Related Commands
20-38
Configuration Guide Configuring NFPP
period is the monitoring period. During software monitoring, if the isolation period is set to a non-zero value,
the system automatically performs hardware isolation against monitored attackers and sets the timeout
period as the monitoring period. The monitoring period is valid only when the isolation period is 0.
If the isolation period is changed to 0, attackers under the corresponding port is deleted, instead of being
monitored.
20-39
Configuration Guide Configuring NFPP
Parameter N/A
Description
Command Interface configuration mode
Mode
Usage Guide DHCPv6 guard configured in interface configuration mode takes priority over that configured in NFPP
configuration mode.
Configuration Example
Scenario DHCPv6 host attacks exist in the system, and DHCPv6 neighbor discovery fails on some hosts.
Configuration Configure the host-based attack threshold.
Steps Set the isolation period to a non-zero value.
Ruijie(config)# nfpp
Verification Run the show nfpp dhcpv6-guard summary command to display the configuration.
20-40
Configuration Guide Configuring NFPP
Run the show nfpp dhcpv6-guard hosts command to display the monitored hosts.
Total: 1 host
Common Errors
N/A
AR ND guard classifies ND packets into three types based on their purposes: 1. NS and NA; 2. RS; 3. RA and Redirect.
Type 1 packets are used for address resolution. Type 2 packets are used by hosts to discover the gateway. Type 3
packets are related to routing: RAs are used to advertise the gateway and prefix while Redirect packets are used to
advertise a better next hop.
At present, only port-based ND packet attack identification is supported. You can configure the rate limits and attack
thresholds for these three types of packets respectively. If the ND packet rate exceeds the rate limit, the packets
beyond the rate limit are discarded. If the ND packet rate exceeds the attack threshold, the system prints logs and
sends traps.
Notes
For a command that is configured both in NFPP configuration mode and interface configuration mode, the configuration
in interface configuration mode takes priority over that configured in NFPP configuration mode.
Isolation is disabled by default. If isolation is enabled, attackers will occupy hardware entries of the security module.
Configuration Steps
Enabling ND Guard
This function can be enabled in NFPP configuration mode or interface configuration mode.
20-41
Configuration Guide Configuring NFPP
If the port-based isolation entry takes effect, you can enable this function to pass some of the packets while not
discarding all of them.
Mandatory.
The ND-guard attack threshold can be enabled in NFPP configuration mode or interface configuration mode.
If the configured rate limit is greater than the attack threshold, the system prints the log "%ERROR: rate limit is higher
than attack threshold 500pps." to notify the administrator.
If the configured attack threshold is less than the rate limit, the system prints the log "%ERROR: attack threshold is
smaller than rate limit 300pps." to notify the administrator.
If memories cannot assigned to detected attackers, the system prints the log "%NFPP_ND_GUARD-4-NO_MEMORY:
Failed to alloc memory." to notify the administrator.
Verification
When a host in the network sends ND attack packets to a switch configured with ND guard, check whether these packets can
be sent to the CPU.
If the parameter of the packets exceeds the attack threshold, an attack log is displayed.
Related Commands
20-42
Configuration Guide Configuring NFPP
Configuration Example
20-43
Configuration Guide Configuring NFPP
Scenario ND host attacks exist in the system, and neighbor discovery fails on some hosts.
Configuration Configure the host-based attack threshold.
Steps
Ruijie(config)# nfpp
Verification Run the show nfpp nd-guard summary command to display the configuration.
Common Errors
N/A
Notes
For a command that is configured both in self-defined guard configuration mode and interface configuration mode, the
configuration in interface configuration mode takes priority over that configured in self-defined guard configuration
mode.
Isolation is disabled by default. If isolation is enabled, attackers will occupy hardware entries of the security module.
A self-defined guard takes priority over basic guards. When configuring the match fields of self-defined guards, see the
Configuration Guide.
Configuration Steps
(Mandatory) Configure the name of a self-defined guard to create the self-defined guard.
The guard name must be unique, and the match fields and values c must be different from those of ARP, ICMP, DHCP,
IP, and DHCPv6 guards. If the parameters you want to configure already exist, a message is displayed to indicate the
configuration failure.
20-44
Configuration Guide Configuring NFPP
Mandatory.
Self-defined packets are classified based on the following fields: etype (Ethernet link-layer type), smac (source MAC
address), dmac (destination MAC address), protocol (IPv4/IPv6 protocol number), sip (source IPv4/IPv6 address), dip
(destination IPv4/IPv6 address), sport (source transport-layer port), and dport (destination transport-layer port).
protocol is valid only when the value of etype is ipv4 or ipv6. src-ip and dst-ip are valid only when the value of etype
is ipv4. src-ipv6 and dst-ipv6 are valid only when the value of etype is ipv6. src-port and dst-port are valid only when
the value of protocol is tcp or udp.
If the match fields and values of a self-defined guard are totally the same as those of an existing guard, the system
prints the log "%ERROR: the match type and value are the same with define name (name of an existing guard)." to
notify the administrator of the configuration failure.
If protocol is configured but etype is IPv4 or IPv6 in the match policy, the system prints the log "%ERROR: protocol is
valid only when etype is IPv4(0x0800) or IPv6(0x86dd)."
If src-ip and dst-ip are configured but etype is not IPv4 in the match policy, the system prints the log "%ERROR: IP
address is valid only when etype is IPv4(0x0800)."
If src-ipv6 and dst-ipv6 are configured but etype is not IPv6 in the match policy, the system prints the log "%ERROR:
IPv6 address is valid only when etype is IPv6(0x86dd)."
If src-port and dst-port are configured but protocol is not TCP or UDP in the match policy, the system prints the log
"%ERROR: Port is valid only when protocol is TCP(6) or UDP(17)."
The following table lists guard policies corresponding to some common network protocols. The rate limits and attack
thresholds listed below can meet the requirements in most network scenarios and are for reference only. You can
configure valid rate limits and attack thresholds based on actual scenarios.
20-45
Configuration Guide Configuring NFPP
To contain as many existing protocol types as possible and facilitate expansion of new protocol types, self-defined
guards allow hosts to freely combine type fields of packets. If the configuration is inappropriate, the network may
become abnormal. Therefore, the network administrator needs to have a good knowledge of network protocols. As a
reference, the following table lists valid configurations of currently known protocols for common self-defined guard
policies. For other protocols not listed in the table, configure them with caution.
(Mandatory) If these parameters are not configured, the self-defined guard cannot be enabled.
You must configure one of the per-src-ip, per-src-mac, and per-port fields. Otherwise, the policy cannot take effect.
The rate limit configured based on the source MAC address, VLAN ID, and port takes priority over that configured
based on the source IP address, VLAN ID, and port.
The port-based host identification policy of a self-defined guard must be consistent with the global port-based host
identification policy.
If the per-src-ip policy is not configured globally but configured for a port, the system prints the log "%ERROR: name
(name of a self-defined guard) has not per-src-ip policy." to notify the administrator of the configuration failure.
If the per-src-mac policy is not configured globally but configured for a port, the system prints the log "%ERROR: name
(name of a self-defined guard) has not per-src-mac policy." to notify the administrator of the configuration failure.
If the memory cannot be allocated to detected attackers, the system prints the log
"%NFPP_DEFINE_GUARD-4-NO_MEMORY: Failed to allocate memory." to notify the administrator.
If the configured rate limit is greater than the attack threshold, the system prints the log "%ERROR: rate limit is higher
than attack threshold 500pps." to notify the administrator.
If the configured attack threshold is less than the rate limit, the system prints the log "%ERROR: attack threshold is
smaller than rate limit 300pps." to notify the administrator.
20-46
Configuration Guide Configuring NFPP
If the packet traffic of attackers exceeds the rate limit defined in CPP, you can configure the isolation period to discard
packets and therefore to save bandwidth resources.
The isolation period can be configured in self-defined guard configuration mode or interface configuration mode.
If the isolation period is changed to 0, attackers under the corresponding port is deleted, instead of being monitored.
If the isolation period is configured, it is directly used as the monitoring period, and the configured monitoring period will
lose effect.
If the isolation period is 0, the system performs software monitoring on detected attackers. The timeout period is the
monitoring period. During software monitoring, if the isolation period is set to a non-zero value, the system automatically
performs hardware isolation against monitored attackers and sets the timeout period as the monitoring period. The
monitoring period is valid only when the isolation period is 0.
If the isolation period is changed to 0, attackers under the corresponding port is deleted, instead of being monitored.
Set the maximum number of monitored hosts reasonably. As the number of monitored hosts increases, more CPU
resources are used.
The maximum number of monitored hosts can be configured in self-defined guard configuration mode.
If the number of monitored hosts reaches 20,000 (default value) and the administrator sets the maximum number lower
than 20,000, the system does not delete monitored hosts but prints the log "%ERROR: The value that you configured is
smaller than current monitored hosts 20000, please clear a part of monitored hosts." This information notifies the
administrator that the configuration does not take effect and that some monitored hosts need to be deleted.
If the table of monitored hosts is full, the system prints the log "% NFPP_DEFINE-4-SESSION_LIMIT: Attempt to
exceed limit of name's 20000 monitored hosts." to notify the administrator.
You can configure a maximum of 500 trusted IP address or MAC address for a self-defined guard.
If you do not want to monitor a host, you can run the following commands to trust the host. This trusted host can send
ICMP packets to the CPU, without any rate limiting or alarm reporting. You can configure the mask so that no host in
one network segment is monitored.
20-47
Configuration Guide Configuring NFPP
You must configure the match type before configuring trusted hosts. If the packet type is IPv4 in the match policy, you
are not allowed to configure trusted IPv6 addresses. If the packet type is IPv6 in the match policy, you are not allowed
to configure trusted IPv4 addresses.
If the match type is not configured, the system prints the log "%ERROR: Please configure match rule first."
If a trusted IPv4 host is added but etype is not IPv4 in the match policy, the system prints the log "%ERROR: Match
type can’t support IPv4 trusted host."
If a trusted IPv6 host is added but etype is not IPv6 in the match policy, the system prints the log "%ERROR: Match
type can’t support IPv6 trusted host."
If the table of trusted hosts is full, the system prints the log "%ERROR: Attempt to exceed limit of 500 trusted hosts." to
notify the administrator.
If any entry matching a trusted host (IP addresses are the same) exists in the table of monitored hosts, the system
automatically deletes this entry.
If a trusted host cannot be deleted, the system prints the log "%ERROR: Failed to delete trusted host 1.1.1.0
255.255.255.0." to notify the administrator.
If a host cannot be trusted, the system prints the log "%ERROR: Failed to add trusted host 1.1.1.0 255.255.255.0." to
notify the administrator.
If the host to trust already exists, the system prints the log "%ERROR: Trusted host 1.1.1.0 255.255.255.0 has already
been configured." to notify the administrator.
If the host to delete from the trusted table does not exist, the system prints the log "%ERROR: Trusted host 1.1.1.0
255.255.255.0 is not found." to notify the administrator.
If the memory cannot be allocated to a trusted host, the system prints the log "%ERROR: Failed to allocate memory." to
notify the administrator.
Mandatory.
You have to configure at least one policy between host-based self-defined guard policy and port-based self-defined
guard policy. Otherwise, the self-defined guard cannot be enabled.
Self-defined guards can be configured in self-defined guard configuration mode or interface configuration mode.
If a self-defined guard policy is not completely configured, the self-defined guard cannot be enabled and a prompt is
displayed to notify hosts of the missing policy configurations.
If the name of a self-defined guard does not exist, the system prints the log "%ERROR: The name is not exist."
If the match type is not configured for a self-defined guard, the system prints the log "%ERROR: name (name of the
self-defined guard) doesn't match any type."
If no policy is configured for a self-defined guard, the system prints the log "%ERROR: name (name of the self-defined
guard) doesn't specify any policy."
20-48
Configuration Guide Configuring NFPP
Verification
When a host in the network sends packets to a switch configured with a self-defined NFPP guard, check whether these
packets can be sent to the CPU.
If the rate of packets from an untrusted host exceeds the attack threshold, an attack log is displayed.
Related Commands
20-49
Configuration Guide Configuring NFPP
Configuring the Global Rate Limit and Attack Threshold of a Self-defined Guard
20-50
Configuration Guide Configuring NFPP
Configuring the Rate Limit and Attack Threshold of a Self-defined Guard on an Interface
Command nfpp define name policy {per-src-ip | per-src-mac| per-port} rate-limit-pps attack-threshold-pps
Parameter name: Indicates the name of a self-defined guard.
Description per-src-ip: Configures the rate limit and attack threshold of each source IP address.
per-src-mac: Configures the rate limit and attack threshold of each source MAC address.
per-port: Configures the rate limit and attack threshold of each port.
rate-limit-pps: Indicates the rate limit, ranging from 1 to 19,999.
attack-threshold-pps: Indicates the attack threshold, ranging from 1 to 19,999.
Command Interface configuration mode
Mode
20-51
Configuration Guide Configuring NFPP
Usage Guide The attack threshold must be equal to or greater than the rate limit.
Configuration Example
Scenario Basic guards cannot protect the system with RIP attacks.
Configuration Configure a self-defined guard, with the key fields matching RIP packets.
Steps Configure the rate limit.
Configure the isolation period.
Configure trusted hosts.
Ruijie(config)# nfpp
Ruijie (config-nfpp-define)#exit
Verification Run the show nfpp define summary rip command to display the configuration.
Monitor period:600s
Run the show nfpp define trusted-host rip command to display the trusted hosts.
Define rip:
IP address IP mask
---------- -------
192.168.201.46 255.255.255.255
20-52
Configuration Guide Configuring NFPP
Run the show nfpp define hosts rip command to display the monitored hosts.
Total: 1 host
Common Errors
N/A
Configure centralized bandwidth allocation so that Manage and Protocol packets are first processed when the network
is busy.
Notes
The following condition must be met: Valid percentage range of a type of packets ≤ 100% – Percentage of the sum of
the other two types
Configuration Steps
(Mandatory) Manage, Route, and Protocol packets share the same default bandwidth.
(Mandatory) By default, Manage packets occupy 30% of the bandwidth, Route packets occupy 25%, and Protocol
packets occupy 45%.
Verification
Send a large number of protocol packets such as OSPF packets to a switch, causing high CPU utilization.
When the host pings the switch, the pinging must be successful and no packet is lost.
Related Commands
20-53
Configuration Guide Configuring NFPP
Configuration Example
Scenario Various types of mass packets exist in the network and belong to different centralized types.
Configuration Configure the maximum bandwidth of specified packets.
Steps Configure the maximum percentage of specified packets in the queue.
Verification N/A
Common Errors
N/A
Use the (no) all-guard enable command to enable or disable all attack guards so that you do not need to disable or
enable them one by one.
Notes
Only basic guards (ARP, ICMP, IP, DHCP, DHCPv6, and ND) are applied.
Only the global configuration is applied. Interface-based guard configuration remains the same.
After the command is executed, basic guards are displayed by using the show running-config command.
20-54
Configuration Guide Configuring NFPP
The no all-guard enable command just packs the no commands of all basic guards together. After you run the
disabling command, the no commands of all basic guards are displayed under the show running-config command.
After you run the enabling command, the default conditions are displayed under the show running-config command.
Configuration Steps
Verification
When a host sends a large number of packets corresponding to basic guards to a switch, such as ARP/ICMP packets, NFPP
guard detection takes effect by default.
Run the no all-guard enable command. With the show cpu-protect command used, NFPP ratelimit failure is
displayed. With the show nfpp xx-guard host command used, no attacker is displayed. With the show nfpp xx-guard
summary command used, the "disabled" status of guards is displayed.
Related Commands
Configuration Example
Scenario N/A
Configuration N/A
Steps
nfpp
log-buffer enable
Ruijie(config)# nfpp
nfpp
log-buffer enable
no arp-guard enable
no icmp-guard enable
20-55
Configuration Guide Configuring NFPP
no ip-guard enable
no dhcp-guard enable
no dhcpv6-guard enable
no nd-guard enable
Ruijie(config-nfpp)#all-guard enable
nfpp
log-buffer enable
no service password-encryption
Verification N/A
Common Errors
N/A
NFPP obtains a log from the dedicated log buffer at a certain rate, generates a system message, and clears this log
from the dedicated log buffer.
Notes
Logs are continuously printed in the log buffer, even if attacks have stopped.
Configuration Steps
Mandatory.
If the log buffer is full, new logs replace the old ones.
If the log buffer overflows, subsequent logs replace the previous ones with all attributes marked with a hyphen (-) is
displayed in the log buffer. The administrator needs to increase the log buffer size or the system message generation
rate.
20-56
Configuration Guide Configuring NFPP
Mandatory.
The log buffer rate depends on two parameters: the time period and the number of system messages generated in the
time period.
If both of the preceding two parameters are set to 0, system messages are immediately generated for logs but are not
stored in the log buffer.
If log filtering is enabled, logs not meeting the filtering rule are discarded.
If you want to monitor attacks in real time, you can configure logs to be printed on the screen to export the log
information in real time.
Verification
Check whether the configuration takes effect based on the log configuration and the number and interval of printed logs.
Related Commands
20-57
Configuration Guide Configuring NFPP
Mode
Usage Guide N/A
Configuration Example
Scenario If attackers are too many, log printing will affect the usage of user interfaces, which requires restriction.
Configuration Configure the log buffer size.
Steps Configure the log buffer rate.
Configure VLAN-based log filtering.
Ruijie(config)# nfpp
20-58
Configuration Guide Configuring NFPP
Verification Run the show nfpp log summary command to display the configuration.
Logging:
VLAN 1
Run the show nfpp log buffer command to display logs in the log buffer.
20.5 Monitoring
Clearing
Description Command
Clears the ARP-guard scanning table. clear nfpp arp-guard scan
Clears ARP-guard monitored hosts. clear nfpp arp-guard hosts
Clears IP-guard monitored hosts. clear nfpp ip-guard hosts
Clears ND-guard monitored hosts. clear nfpp nd-guard hosts
Clears ICMP-guard monitored hosts. clear nfpp icmp-guard hosts
Clears DHCP-guard monitored hosts. clear nfpp dhcp-guard hosts
Clears DHCPv6-guard monitored hosts. clear nfpp dhcpv6-guard hosts
Clears self-defined guard monitored hosts. clear nfpp define name hosts
Clears NFPP logs. clear nfpp log
Displaying
Description Command
Displays ARP-guard configuration. show nfpp arp-guard summary
Displays ARP-guard monitored hosts. show nfpp arp-guard hosts
Displays the ARP-guard scanning table. show nfpp arp-guard scan
Displays IP-guard configuration. show nfpp ip-guard summary
Displays IP-guard monitored hosts. show nfpp ip-guard hosts
Displays the IP-guard scanning table. show nfpp ip-guard trusted-host
Displays ICMP-guard configuration. show nfpp icmp-guard summary
20-59
Configuration Guide Configuring NFPP
Description Command
Displays ICMP-guard monitored hosts. show nfpp icmp-guard hosts
Displays the ICMP-guard scanning table. show nfpp icmp-guard trusted-host
Displays DHCP-guard configuration. show nfpp dhcp-guard summary
Displays DHCP-guard monitored hosts. show nfpp dhcp-guard hosts
Displays DHCPv6-guard configuration. show nfpp dhcpv6-guard summary
Displays DHCPv6-guard monitored hosts. show nfpp dhcpv6-guard hosts
Displays ND-guard configuration. show nfpp nd-guard summary
Displays self-defined guard configuration. show nfpp define summary [name]
Displays the monitored hosts. show nfpp define hosts name
Displays the trusted hosts. show nfpp define trusted-host name
Displays NFPP logs. show nfpp log summary
Displays the NFPP log buffer. show nfpp log buffer [statistics]
20-60
Configuration Guide Configuring DoS Protection
21.1 Overview
Denial of Service (DoS) attacks refer to attacks that cause DoS and aim to put computers or networks out of service.
DoS attacks are diversified in types and can be implemented in many ways, but have one common purpose, that is, prevent
victim hosts or networks cannot receive, respond, or process external requests in time. In particular, on a layer-2 (L-2)
network, DoS attack packets can be spread in the entire broadcast domain. If hackers maliciously initiate DoS attacks, some
operating systems (OSs) may collapse. Ruijie products supports the following anti DoS attack functions:
21.2 Applications
Application Description
Protecting Servers Against DoS On a campus network, configure the anti DoS attack function on the devices
Attacks connected to servers to effectively reduce the negative impacts brought by DoS
attacks to servers.
21-1
Configuration Guide Configuring DoS Protection
Figure 21-1
Deployment
Enable the function of denying land attacks on the core switch to protect servers against land attacks.
Enable the function of denying invalid TCP packets on the core switch to protect servers against invalid TCP packets.
Enable the function of denying invalid L4 ports on the core switch to protect servers against attacks caused by invalid L4
ports.
21.3 Features
Overview
Feature Description
Denying Land Drop packets with the same source and destination IP addresses or the same L4 source and
Attacks destination port IDs on the device to prevent these packets from attacking OSs on the network.
Denying Invalid TCP Drop invalid TCP packets on the device to prevent invalid TCP packets from attacking OSs on the
Packets network. (For details about the definition of invalid TCP packets, see "Denying Invalid TCP Packets".
Denying Invalid L4 Drop packets with the same L4 source and destination port IDs on the device to prevent these
Ports packets from attacking OSs on the network.
21-2
Configuration Guide Configuring DoS Protection
Working Principle
In a land attack, the attacker sets the source and destination IP addresses or the L4 source and destination port IDs in a SYN
packet to the same address of the target host. Consequently, the attacked host will be trapped in an infinite loop or even
collapse when attempting to set up a TCP connection with itself.
If the function of denying land attacks is enabled, the device checks packets based on characteristics of land packets (that is,
SYN packets with the same source and destination IP addresses), and drops invalid packets.
Related Configuration
Run the ip deny land command to enable or disable the function of denying land attacks.
Working Principle
SYN: Connection establishment flag. The TCP SYN packet is used to set this flag to 1 to request establishment of a
connection.
ACK: Acknowledgement flag. In a TCP connection, this field must be available in every flag (except the first packet, that
is, the TCP SYN packet) as the acknowledgement of the previous packet.
FIN: Finish flag. When a host receives the TCP packet with the FIN flag, the host disconnects the TCP connection.
RST: Reset flag. When the IP protocol stack receives a TCP packet that contains a non-existent destination port, it
responds with a packet with the RST flag.
PSH: This flag notifies the protocol stack to submit TCP data to the upper-layer program for processing as soon as
possible.
In invalid TCP packets, flag fields are set improperly so that the processing resources of hosts are exhausted or even the
system collapses. The following lists several common methods for setting flag fields in invalid TCP packets:
Normally, a TCP packet cannot contain both the SYN and FIN flags. In addition, RFC does not stipulate how the IP protocol
stack should process such invalid packets containing both the SYN and FIN flags. Therefore, the protocol stack of each OS
may process such packets in different ways when receiving these packets. Attackers can use this feature to send packets
containing both the SYN and FIN flags to identify the OS type and initiate attacks on this OS.
Normally, a TCP packet contains at least one of the five flags, including SYN, FIN, ACK, RST, and PSH. The first TCP packet
(TCP SYN packet) must contain the SYN flag, and the subsequent packets contain the ACK flag. Based on such
21-3
Configuration Guide Configuring DoS Protection
assumptions, some protocol stack does not specify the method for processing TCP packets without any flag, and therefore
may collapse if such protocol stack receives TCP packets without any flag. Attackers use this feature to initiate attacks on
target hosts.
TCP packets with the FIN flag but without the ACK flag
Normally, except the first packet (TCP SYN packet), all other packets, including the packets with the FIN flag, contain the
ACK flag. Some attackers may send TCP packets with the FIN flag but without the ACK flag to the target hosts, causing
breakdown of the target hosts.
TCP packets with the SYN flag and the source port ID set to a value between 0 and 1,023
Port IDs 0 to 1,023 are known port IDs allocated by the Internet Assigned Numbers Authority (IANA). In most systems, these
port IDs can be used only by the system (or root) processes or programs run by privileged users. These ports (0–1023)
cannot be used as the source port IDs in the first TCP packets (with the SYN flag) sent by clients.
If the function of denying invalid TCP packets is enabled, the device checks packets based on characteristics of invalid TCP
packets, and drops invalid TCP packets.
Related Configuration
Run the ip deny invalid-tcp command to enable or disable the function of denying invalid TCP packets.
Working Principle
Attackers sends packets in which the IP address of the target host is the same as the L4 port ID of the host to the host target.
As a result, the target host sends TCP connection setup requests to itself. Under such attacks, resources of the target host
will soon be exhausted and the system will collapse.
If the function of denying invalid L4 ports is enabled, the device checks the L4 source port ID and destination port ID in the
packets. If they are the same, the device drops the packets.
Related Configuration
Run the ip deny invalid-l4port command to enable or disable the function of denying invalid L4 ports.
21-4
Configuration Guide Configuring DoS Protection
21.4 Configuration
Optional.
Configuring the Function of
Denying Land Attacks Enables the function of denying land
ip deny land
attacks.
Optional.
Configuring the Function of
Denying Invalid TCP Packets Enables the function of denying invalid TCP
ipdeny invalid-tcp
packets.
Optional.
Configuring the Function of
Denying Invalid L4 Ports Enables the function of denying invalid L4
ip deny invalid-l4port
ports.
Enable the function of denying land attacks. Then, the device checks packets based on characteristics of land packets, and
drops land packets.
Configuration Steps
Mandatory.
Verification
Run the showipdenyland command to display the status of the function of denying land attacks.
After this function is enabled, construct a land attack packet and confirm that this packet cannot be forwarded.
Related Commands
21-5
Configuration Guide Configuring DoS Protection
Configuration Example
Configuration Enable the function of denying land attacks in global configuration mode.
Steps
Ruijie(config)# end
Verification Run the showipdenyland command to display the status of the function of denying land attacks.
The following example shows how to display the status of the function of denying land attacks:
------------------------------------- -----
Enable the function of denying invalid TCP packets. Then, the device checks packets based on characteristics of invalid TCP
packets, and drops invalid TCP packets.
Configuration Steps
Mandatory.
Verification
Run the show ip deny invalid-tcp command to display the status of the function of denying invalid TCP packets.
After this function is enabled, construct an invalid TCP packet and confirm that this packet cannot be forwarded.
Related Commands
21-6
Configuration Guide Configuring DoS Protection
Configuration Example
Configuration Enable the function of denying invalid TCP packets in global configuration mode.
Steps
Ruijie(config)# end
Verification Run the show ip deny invalid-tcp command to display the status of the function of denying invalid TCP
packets.
The following example shows how to display the status of the function of denying invalid TCP packets:
------------------------------------- -----
Enable the function of denying invalid L4 ports. Then, the device checks the L4 source port ID and destination port ID in the
packets. If they are the same, the device drops the packets.
Configuration Steps
Mandatory.
Verification
Run the show ip deny invalid-l4port command to display the status of the function of denying invalid L4 ports.
After this function is enabled, construct a packet in which the L4 source port ID is the same as the destination port ID
and confirm that this packet cannot be forwarded.
21-7
Configuration Guide Configuring DoS Protection
Related Commands
Configuration Example
Configuration Enable the function of denying invalid L4 ports in global configuration mode.
Steps
Ruijie(config)# end
Verification Run the show ip deny invalid-l4port command to display the status of the function of denying invalid L4
ports.
The following example shows how to display the status of the function of denying invalid L4 ports:
------------------------------------- -----
21.5 Monitoring
Displaying
Description Command
Displays the status of the function of showipdenyland
denying land attacks.
Displays the status of the function of show ip deny invalid-tcp
denying invalid TCP packets.
Displays the status of the function of show ip deny invalid-l4port
denying invalid L4 ports.
21-8
Configuration Guide Configuring DoS Protection
Description Command
Displays the status of all antiDoS show ip deny
attack functions.
21-9
ACL & QoS Configuration
2. Configuring QoS
Configuration Guide Configuring the ACL
1.1 Overview
Access control list (ACL) is also called access list or firewall. It is even called packet filtering in some documents. The ACL
defines rules to determine whether to forward or drop data packets arriving at a network interface.
Security ACLs: Used to control data flows that are allowed to pass through a network device.
Quality of service (QoS) ACLs: Used to classify and process data flows by priority.
Network access control:To ensure network security, rules are defined to limit access of users to some services (for
example, only access to the WWW and email services is permitted, and access to other services such as Telnet is
prohibited), or to allow users to access services in a specified period of time, or to allow only specified hosts to access
the network.
QoS: QoS ACLs are used to preferentially classify and process important data flows. For details about the use of QoS
ALCs, see the configuration manual related to QoS.
1.2 Applications
Application Description
Access Control of an Enterprise On an enterprise network, the network access rights of each department, for example,
Network access rights of servers and use permissions of chatting tools (such as QQ and
MSN), must be controlled according to requirements.
Internet viruses can be found everywhere. Therefore, it is necessary to block ports that are often used by viruses to ensure
security of an enterprise network as follows:
Prohibit PCs of a non-financial department from accessing PCs of the financial department, and prohibit PCs of a
non-R&D department from accessing PCs of the R&D department.
Prohibit the staff of the R&D department from using chatting tools (such as QQ and MSN) during working hours from
09:00 to 18:00.
Configuration Guide Configuring the ACL
Figure 1-1
Remarks Switch C at the access layer:It is connected to PCs of each department and to Switch B at the aggregation layer
through the gigabit optical fiber (trunk mode).
Switch B at the aggregation layer:Multiple virtual local area networks (VLANs) are divided. One VLAN is defined
for one department. These VLANs are connected to Switch A at the core layer through the 10-gigabit optical fiber
(trunk mode).
Switch A at the core layer:It is connected to various servers, such as the File Transfer Protocol (FTP) server and
Hypertext Transfer Protocol (HTTP) server, and to the Internet through firewalls.
Deployment
Configure an extended ACL on the port G2/1 to filter data packets, thus protecting the network against the viruses. This
port is located on a core-layer device (Switch A) and used to connect Switch A to the uplink port G2/1 of a router.
Allow only internal PCs to access servers, and prohibit external PCs from accessing servers. Define and apply the
extended IP ACLs on G2/2 or switch virtual interface (SVI) 2 that is used to connect Switch A to an aggregation layer
device or server.
Prohibit mutual access between specified departments. Define and apply the extended IP ACLs on G0/22 and G0/23 of
Switch B.
Configure and apply the time-based extended IP ACLs on SVI 2 of Switch B to prohibit the R&D department from using
chatting tools (such as QQ and MSN) in a specified period of time.
Configuration Guide Configuring the ACL
1.3 Features
Basic Concepts
ACL
You can select basic or dynamic ACLs as required. Generally, basic ACLs can meet the security requirements. However,
experienced hackers may use certain software to access the network by means of IP address spoofing. If dynamic ACLs are
used, users are requested to pass identify authentication before accessing the network, which prevents hackers from
intruding the network. Therefore, you can use dynamic ACLs in some sensitive areas to guarantee network security.
IP address spoofing is an inherent problem of all ACLs, including dynamic ACLs. Hackers may use forged IP addresses
to access the network during the validity period of authenticated user identities. Two methods are available to resolve
this problem. One is to set the idle time of user access to a smaller value, which increases the difficulty in intruding
networks. The other is to encrypt network data using the IPSec protocol, which ensures that all data is encrypted when
arriving at a device.
Devices between the internal network and the external network (such as the Internet)
ACL statements must be executed in strict compliance with their sequence in the ACL. Comparison starts from the first
statement. Once the header of a data packet matches a statement in the ACL, the subsequent statements are ignored and
no longer checked.
When receiving a packet on an interface, the device checks whether the packet matches any access control entry (ACE) in
the input ACL of this interface. Before sending a packet through a interface, the device checks whether the packet matches
any ACE in the output ACL of this interface.
When different filtering rules are defined, all or only some rules may be applied simultaneously. If a packet matches an ACE,
this packet is processed according to the action policy (permit or deny) defined in this ACE. ACEs in an ACL identify Ethernet
packets based on the following fields in the Ethernet packets:
Source IP address field (All source IP address values can be specified, or the subnet can be used to define a type of
data flows.)
Destination IP address field (All destination IP address values can be specified, or the subnet can be used to define a
type of data flows.)
Either a TCP source or destination port is specified, or both are specified, or the range of the source or destination port
is specified.
Either a UDP source or destination port is specified, or both are specified, or the range of the source or destination port
is specified.
Filtering fields refer to the fields in packets that can be used to identify or classify packets when an ACE is generated. A
filtering field template is a combination of these fields. For example, when an ACE is generated, packets are identified and
classified based on the destination IP address field in each packet; when another ACE is generated, packets are identified
and classified based on the source IP address field and UDP source port field in each packet. The two ACEs use different
filtering field templates.
Rules refer to values of fields in the filtering field template of an ACE.For example, the content of an ACE is as follows:
In this ACE, the filtering field template is a combination of the following fields:source IP address field, IP protocol field, and
TCP destination port field. The corresponding values (rules) are as follows:source IP address = Host 192.168.12.2; IP
protocol = TCP; TCP destination port = Telnet.
Figure 1-2 Analysis of the ACE: permit tcp host 192.168.12.2 any eq telnet
A filtering field template can be a combination of L3 and L4 fields, or a combination of multiple L2 fields. The filtering
field template of a standard or an extended ACL, however, cannot be a combination of L2 and L3 fields, a combination
Configuration Guide Configuring the ACL
of L2 and L4 fields, or a combination of L2, L3, and L4 fields. To use a combination of L2,L3, and L4 fields, you can use
the expert ACLs.
An SVI associated with ACLs in the outgoing direction supports the IP standard, IP extended, MAC extended, and
expert ACLs.
If an MAC extended or expert ACL is configured to match the destination MAC address and is applied to the outgoing
direction of the SVI, the related ACE can be configured but cannot take effect. If an IP extended or expert ACL is
configured to match the destination IP address, but the destination IP address is not in the subnet IP address range of
the associated SVI, the configured ACL cannot take effect. For example, assume that the address of VLAN 1 is
192.168.64.1 255.255.255.0, an IP extended ACL is created, and the ACE is deny udp any 192.168.65.1 0.0.0.255 eq
255. If this ACL is applied to the outgoing interface of VLAN 1, the ACL cannot take effect because the destination IP
address is not in the subnet IP address range of VLAN 1. If the ACE is deny udp any 192.168.64.1 0.0.0.255 eq 255,
the ACL can take effect because the destination IP address is in the subnet IP address range of VLAN 1.
On a switch, if ACLs are applied to the outgoing direction of a physical port or an aggregate port (AP), the ACLs can
filter only well-known packets (unicast or multicast packets), but not unknown unicast packets. That is, for unknown or
broadcast packets, ACLs configured in the outgoing direction of a port does not take effect.
On a switch, if the input ACL and DOT1X, global IP+MAC binding, port security, and IP source guard are shared among
all ports, the permit and default deny ACEs do not take effect, but other deny ACEs take effect.
On a switch, if the input ACL and QoS are shared, the permit ACEs do not take effect, other deny ACEs take effect, and
the default deny ACE takes effect after the QoS ACE takes effect.
On a switch, you can run the norgos-security compatible command to make the permit and deny ACEs take effect at
the same time when the port-based input ACL and DOT1X, global IP+MAC binding, port security, and IP source guard
are shared.
If ACEs are added to an ACL and then the switch is restarted after an ACL is applied to the incoming direction of
multiple SVIs, the ACL may fail to be configured on some SVIs due to the limited hardware capacity.
If an expert ACL is configured and applied to the outgoing direction of an interface, and some ACEs in this ACL contain
the L3 matching information (e.g. the IP address and L4 port), non-IP packets sent to the device from this interface
cannot be controlled by the permit and deny ACEs in this ACL.
If ACEs of an ACL (IP ACL or expert extended ACL) are configured to match non-L2 fields (such as SIP and DIP), the
ACL does not take effect on tagged MPLS packets.
ACL Logging
To allow users better learn the running status of ACLs on a device, you can determine whether to specify the ACL logging
option as required when adding ACEs. If this option is specified, logs are output when packets matching ACEs are found.
ACL logs are displayed based on ACEs. That is, the device periodically displays ACEs with matched packets and the number
of matched packets. An example of the log is as follows:
*Sep 9 16:23:06: %ACL-6-MATCH: ACL 100 ACE 10 permit icmp any any, match 78 packets.
To control the amount of logs and output frequency, you can configure the log update interval respectively for the IPv4 ACL
and the IPv6 ACL.
Configuration Guide Configuring the ACL
An ACE containing the ACL logging option consumes more hardware resources. If all configured ACEs contain this
option, the ACE capacity of a device will be reduced by half.
By default, the log update interval is 0, that is, no log is output. After the ACL logging option is specified in an ACE, you
need to configure the log update interval to output related logs.
For an ACE containing the ACL logging option, if no packet is matched in the specified interval, no packet matching log
related to this ACE will be output. If matched packets are found in the specified interval, packet matching logs related to
this ACE will be output when the interval expires. The number of matched packets is the total number of packets that
match the ACE during the specified interval, that is, the period from the previous log output to the current log output.
To implement network management, users may want to know whether an ACE has any matched packets and how many
packets are matched. ACLs provide the ACE-based packet matching counters. You can enable or disable packet matching
counters for all ACEs in an ACL, which can be an IP ACL, MAC ACL, expert ACL, or IPv6 ACL. In addition, you can run the
clear counters access-list [ acl-id | acl-name ] command to reset ACL counters for a new round of statistics.
Enabling ACL counters requires more hardware entries. In an extreme case, this will reduce by half the number of
ACEs that can be configured on a device.
Overview
Feature Description
IP ACL Control incoming or outgoing IPv4 packets of a device based on the L3 or L4 information in the IPv4
packet header.
MAC Extended ACL Control incoming or outgoing L2 packets of a device based on the L2 information in the Ethernet
packet header.
Expert Extended ACL Combine the IP ACL and MAC extended ACL into an expert extended ACL, which controls (permits
or denies) incoming or outgoing packets of a device using the same rule based on the L2, L3, and L4
information in the packet header.
IPv6 ACL Control incoming or outgoing IPv6 packets of a device based on the L3 or L4 information in the IPv6
packet header.
ACL Redirection Redirect incoming packets of a device that match ACEs to a specified outgoing interface.
Global Security ACL Make an ACL take effect in the incoming direction of all interfaces, instead of applying the ACL on
every interface.
Security Channel Allow packets to bypass the check of access control applications, such as DOT1X and Web
authentication, to meet requirements of some special scenarios.
SVI Router ACL Enable users in the same VLAN to communicate with each other.
ACL Logging Output ACL packet matching logs at a specified interval according to requirements. The logs help
users learn the packet matching result of a specified ACE.
Configuration Guide Configuring the ACL
1.3.1 IP ACL
The IP ACL implements refined control on incoming and outgoing IPv4 packets of a device. You can permit or deny the entry
of specific IPv4 packets to a network according to actual requirements to control access of IP users to network resources.
Working Principle
Define a series of IP access rules in the IP ACL, and then apply the IP ACL either in the incoming or outgoing direction of an
interface or globally. The device checks whether the incoming or outgoing IPv4 packets match the rules and accordingly
forwards or blocks these packets.
To configure an IP ACL, you must specify a unique name or ID for the ACL of a protocol so that the protocol can uniquely
identify each ACL. The following table lists the protocols that can use IDs to identify ACLs and the range of IDs.
Protocol ID Range
Standard IP 1–99, 1300–1999
Extended IP 100–199, 2000–2699
Basic ACLs include the standard IP ACLs and extended IP ACLs. Typical rules defined in an ACL contain the following
matching fields:
Source IP address
Destination IP address
IP protocol number
The standard IP ACL (ID range: 1–99, 1300–1999) is used to forward or block packets based on the source IP address,
whereas the extended IP ACL (ID range: 100–199, 2000–2699) is used to forward or block packets based on a combination
of the preceding matching fields.
For an individual ACL, multiple independent ACL statements can be used to define multiple rules. All statements reference
the same ID or name so that these statements are bound with the same ACL. However, more statements mean that it is
increasingly difficult to read and understand the ACL.
For routing products, the ICMP code matching field in an ACL rule is ineffective for ICPM packets whose ICPM type is 3.
If the ICPM code of ICMP packets to be matched is configured in an ACL rule, the ACL matching result of incoming
ICMP packets of a device whose ICPM type is 3 may be different from the expected result.
At the end of every IP ACL is an implicit "deny all traffic" rule statement. Therefore, if a packet does not match any rule, the
packet will be denied.
For example:
This ACL permits only packets sent from the source host 192.168.4.12, and denies packets sent from all other hosts. This is
because the following statement exists at the end of this ACL: access-list 1 deny any.
Packets sent from any host will be denied when passing through this port.
When defining an ACL, you must consider the routing update packets. As the implicit "deny all traffic" statement exists
at the end of an ACL, all routing update packets may be blocked.
Every new rule is added to the end of an ACL and in front of the default rule statement. The input sequence of statements in
an ACL is very important. It determines the priority of each statement in the ACL. When determining whether to forward or
block packets, a device compares packets with rule statements based on the sequence that rule statements are created.
After locating a matched rule statement, the device does not check any other rule statement.
If a rule statement is created and denies all traffic, all subsequent statements will not be checked.
For example:
The first rule statement denies all IP packets. Therefore, Telnet packets from the host on the network 192.168.12.0/24 will be
denied. After the device finds that packets match the first rule statement, it does not check the subsequent rule statements
any more.
Related Configuration
Configuring an IP ACL
Run the ip access-list { standard | extended } {acl-name | acl-id} command in global configuration mode to create a
standard or an extended IP ACL and enter standard or extended IP ACL mode.
By default, a newly created IP ACL contains an implicit ACE that denies all IPv4 packets. This ACE is hidden from users, but
takes effect when the ACL is applied to an interface. That is, all IPv4 packets will be discarded. Therefore, if you want the
device to receive or send some specific IPv4 packets, add some ACEs to the ACL.
No matter whether the standard IP ACL is a named or number ACL, you can run the following command in standard IP
ACL mode to add an ACE:
[ sn ] { permit | deny } {hostsource| any | sourcesource-wildcard } [ time-rangetime-range-name ] [ log ]
For a numbered standard IP ACL, you can also run the following command in global configuration mode to add an ACE:
access-list acl-id { permit | deny } {hostsource| any | sourcesource-wildcard } [ time-rangetm-rng-name ][ log ]
Configuration Guide Configuring the ACL
No matter whether the extended IP ACL is a named or numbered ACL, you can run the following command in extended
IP ACL mode to add an ACE:
[ sn ] { permit | deny } protocol{hostsource| any | sourcesource-wildcard } {hostdestination | any | destination
destination-wildcard }[ [ precedenceprecedence [ tos tos ] ] | dscpdscp] [ fragment ] [ time-rangetime-range-name ]
[ log ]
For a numbered extended IP ACL, you can also run the following command in global configuration mode to add an ACE:
access-list acl-id { permit | deny } protocol{hostsource| any | sourcesource-wildcard } {hostdestination | any |
destination destination-wildcard }[ [ precedenceprecedence [ tos tos ] ] | dscpdscp] [ fragment ]
[ time-rangetime-range-name ] [ log ]
Applying an IP ACL
By default, the IP ACL is not applied to any interface, that is, the IP ACL does not filter incoming or outgoing IP packets of the
device.
Run the ip access-group { acl-id | acl-name } { in| out }[reflect] command in interface configuration mode to apply a
standard or an extended IP ACL to a specified interface.
Working Principle
Define a series of MAC access rules in the MAC extended ACL, and then apply the ACL to the incoming or outgoing direction
of an interface. The device checks whether the incoming or outgoing packets match the rules and accordingly forwards or
blocks these packets.
To configure an MAC extended ACL, you must specify a unique name or ID for this ACL to uniquely identify the ACL. The
following table lists the range of IDs that identify MAC extended ACLs.
Protocol ID Range
MAC extended ACL 700–799
The MAC extended ACL (ID range: 700–799) is used to filter packets based on the source or destination MAC address and
the Ethernet type in the packets.
Configuration Guide Configuring the ACL
For an individual MAC extended ACL, multiple independent ACL statements can be used to define multiple rules. All
statements reference the same ID or name so that these statements are bound with the same ACL. However, more
statements mean that it is increasingly difficult to read and understand the ACL.
If ACEs in an MAC extended ACL are not defined specifically for IPv6 packets, that is, the Ethernet type is not specified
or the value of the Ethernet type field is not 0x86dd, the MAC extended ACL does not filter IPv6 packets. If you want to
filter IPv6 packets, use the IPv6 extended ACL.
At the end of every MAC extended ACL is an implicit "deny all traffic" rule statement. Therefore, if a packet does not match
any rule, the packet will be denied.
For example:
This ACL permits only packets from the host with the MAC address 00d0.f800.0001, and denies packets from all other hosts.
This is because the following statement exists at the end of this ACL: access-list 700 deny any any.
Related Configuration
Run the mac access-list extended {acl-name | acl-id } command in global configuration mode to create an MAC extended
ACL and enter MAC extended ACL mode.
By default, a newly created MAC extended ACL contains an implicit ACE that denies all L2 packets. This ACE is hidden from
users, but takes effect when the ACL is applied to an interface. That is, all L2 packets will be discarded. Therefore, if you
want the device to receive or send some specific L2 packets, add some ACEs to the ACL.
No matter whether the MAC extended ACL is a named or numbered ACL, you can run the following command in MAC
extended ACL mode to add an ACE:
[sn] { permit | deny } {any | host src-mac-addr | src-mac-addrmask}{any | host dst-mac-addr | dst-mac-addrmask}
[ethernet-type] [coscos ] [innercos] [ time-rangetm-rng-name ]
For a numbered MAC extended ACL, you can also run the following command in global configuration mode to add an
ACE:
access-list acl-id { permit | deny } {any | host src-mac-addr | src-mac-addrmask }{any | host dst-mac-addr |
dst-mac-addrmask } [ethernet-type] [coscos ] [innercos] [ time-rangetime-range-name ]
By default, the MAC extended ACL is not applied to any interface, that is, the created MAC extended ACL does not filter
incoming or outgoing L2 packets of a device.
Configuration Guide Configuring the ACL
Run the mac access-group { acl-id | acl-name } { in| out } command in interface configuration mode to apply an MAC
extended ACL to a specified interface
Working Principle
Define a series of access rules in the expert extended ACL, and then apply the ACL in the incoming or outgoing direction of
an interface. The device checks whether incoming or outgoing packets match the rules and accordingly forwards or blocks
these packets.
To configure an expert extended ACL, you must specify a unique name or ID for this ACL so that the protocol can uniquely
identify each ACL. The following table lists the ID range of the expert extended ACL.
Protocol ID Range
Expert extended ACL 2700–2899
When an expert extended ACL is created, defined rules can be applied to all packets. The device determines whether to
forward or block packets by checking whether packets match these rules.
VLAN ID
The expert extended ACL (ID range: 2700–2899) is a combination of the basic ACL and MAC extended ACL, and can filter
packets based on the VLAN ID.
For an individual expert extended ACL, multiple independent statements can be used to define multiple rules. All statements
reference the same ID or name so that these statements are bound with the same ACL.
If rules in an expert extended ACL are not defined specifically for IPv6 packets, that is, the Ethernet type is not specified
or the value of the Ethernet type field is not 0x86dd, the expert extended ACL does not filter IPv6 packets. If you want to
filter IPv6 packets, use the IPv6 extended ACL.
At the end of every expert extended ACL is an implicit "deny all traffic" rule statement. Therefore, if a packet does not match
any rule, the packet will be denied.
For example:
This ACL permits only ARP packets whose Ethernet type is 0x0806, and denies all other types of packets. This is because
the following statement exists at the end of this ACL: access-list 2700 deny any any any any.
Configuration Guide Configuring the ACL
Related Configuration
Run the expert access-list extended {acl-name | acl-id } command in global configuration mode to create an expert
extended ACL and enter expert extended ACL mode.
By default, a newly created expert extended ACL contains an implicit ACE that denies all packets. This ACE is hidden from
users, but takes effect when the ACL is applied to an interface. That is, all L2 packets will be discarded. Therefore, if you
want the device to receive or send some specific L2 packets, add some ACEs to the ACL.
No matter whether the expert extended ACL is a named or numbered ACL, you can run the following command in
expert extended ACL mode to add an ACE:
[sn] { permit | deny } [ protocol| [ ethernet-type ] [ cos [ out ] [ inner in ] ] ] [ [ VID [ out ] [ inner in ] ] ]
{ sourcesource-wildcard | hostsource | any } { host source-mac-address | any } { destination destination-wildcard |
hostdestination | any } { host destination-mac-address | any } [ precedenceprecedence ] [ tos tos ] [ fragment ]
[ rangelowerupper ] [ time-rangetime-range-name ]]
For a numbered expert extended ACL, you can also run the following command in expert extended ACL mode to add
an ACE:
access-list acl-id { permit | deny } [ protocol| [ ethernet-type ] [ cos [ out ] [ inner in ] ] ] [ [ VID [ out ] [ inner in ] ] ]
{ sourcesource-wildcard | hostsource | any } { host source-mac-address | any } { destination destination-wildcard |
hostdestination | any } { host destination-mac-address | any } [ precedenceprecedence ] [ tos tos ] [ fragment ]
[ rangelowerupper ] [ time-rangetime-range-name ]]
By default, the expert extended ACL is not applied to any interface, that is, the created expert extended ACL does not filter
incoming or outgoing L2 or L3 packets of a device.
Run the expert access-group { acl-id | acl-name } { in| out } command in interface configuration mode to apply an expert
extended ACL to a specified interface
Working Principle
Define a series of IPv6 access rules in the IPv6 ACL, and then apply the ACL in the incoming or outgoing direction of an
interface. The device checks whether the incoming or outgoing IPv6 packets match the rules and accordingly forwards or
blocks these packets.
To configure an IPv6 ACL, you must specify a unique name for this ACL.
Unlike the IP ACL, MAC extended ACL, and expert extended ACL, you can specify only a name but not an ID for the
IPv6 ACL created.
Only one IP ACL, or one MAC extended ACL, or one expert extended ACL can be applied to the incoming or outgoing
direction of an interface. Besides, one more IPv6 ACL can be applied.
At the end of every IPv6 ACL is an implicit "deny all IPv6 traffic" rule statement. Therefore, if a packet does not match any
rule, the packet will be denied.
For example:
This ACL permits only IPv6 packets from the source host 200::1, and denies IPv6 packets from all other hosts. This is
because the following statement exists at the end of this ACL: deny ipv6 any any.
Although the IPv6 ACL contains the implicit "deny all IPv6 traffic" rule statement by default, it does not filter ND packets.
Every new rule is added to the end of an ACL and in front of the default rule statement. The input sequence of statements in
an ACL is very important. It determines the priority of each statement in the ACL. When determining whether to forward or
block packets, a device compares packets with rule statements based on the sequence that rule statements are created.
After locating a matched rule statement, the device does not check any other rule statement.
If a rule statement is created and permits all IPv6 traffic, all subsequent statements will not be checked.
For example:
As the first rule statement permits all IPv6 packets, all IPv6 packets sent from the host 200::1 does not match the subsequent
deny rule with the serial number of 20, and therefore will not be denied. After the device finds that packets match the first rule
statement, it does not check the subsequent rule statements any more.
Related Configuration
Run the ipv6 access-list acl-name command in global configuration mode to create an IPv6 ACL and enter IPv6 ACL
mode.
By default, a newly created IPv6 ACL contains an implicit ACE that denies all IPv6 packets. This ACE is hidden from users,
but takes effect when the ACL is applied to an interface. That is, all IPv6 packets will be discarded. Therefore, if you want the
device to receive or send some specific IPv6 packets, add some ACEs to the ACL.
By default, the IPv6 ACL is not applied to any interface, that is, the IPv6 ACL does not filter incoming or outgoing IPv6
packets of a device.
Run the ipv6 traffic-filter acl-name { in| out } command in interface configuration mode to apply an IPv6 ACL to a specified
interface.
Working Principle
Bind different ACL policy to an interface and specify an output destination interface for each policy. When receiving packets
on this interface, the device searches ACL policies bound to this interface one by one. If packets match criteria described in a
certain policy, the device forwards packets on the destination interface specified by the policy, thus redirecting packets based
on traffic.
Related Configuration
Configuring an ACL
Before configuring ACL redirection, configure an ACL. For details about how to configure an ACL, see the earlier descriptions
about ACL configuration.
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert
extended ACL, or IPv6 ACL.
Run the redirect destinationinterface interface-name acl {acl-id | acl-name } in command in interface configuration mode
to configure ACL redirection.
You can configure the ACL redirection function only on an Ethernet interface, AP, or SVI.
For two reasons, it is not convenient to use the port-based ACLs in antivirus scenarios such as virus filtering. The first reason
is that the port-based ACL must be configured on every port, which results in repeated configuration, poor operation
performance, and over-consumption of ACL resources. The second reason is that the access control function of the ACL is
weakened. As the port-based ACL is used for virus filtering, basic functions of the ACL, such as route update restriction and
network access restriction, cannot be used properly. The global security ACL can be used for global antivirus deployment
and defense without affecting the port-based ACL. By running only one command, you can make the global security ACL
takes effect on all L2 interfaces. In contrast, the port-based ACL must be configured on every interface.
Working Principle
The global security ACL takes effect on all L2 interfaces. When both the global security ACL and the port-based ACL are
configured, both take effect. Packets that match the global security ACL are directly filtered out as virus packets. Packets that
do not match the global security ACL are still controlled by the port-based ACL. You can disable the global security ACL on
some ports so that these ports are not controlled by the global security ACL.
The global security ACL is mainly used for virus filtering. Therefore, in an ACL associated with the global security ACL,
only the deny ACEs take effect, and the permit ACEs do not take effect.
Unlike the secure ACL applied to a port, the global security ACL does not contain the default "deny all traffic" ACE, that
is, all packets that do not match the ACL are permitted.
A global secure ACL can take effect either on a L2 port or a routed port. That is, it takes effect on all the following types
of ports: access port, trunk port, hibird port, routed port, and AP (L2 or L3). The global secure ACL does not take effect
on an SVI.
You can disable the global security ACL on an individual physical port or AP, but not on a member port of an AP.
The global secure ACL supports only the associated IP standard ACL, IP extended ACL, MAC extended ACL and
Expert extended ACL.
Configuration Guide Configuring the ACL
Related Configuration
Configuring an ACL
Before configuring the global security ACL, configure an ACL. For details about how to configure an ACL, see the earlier
descriptions about ACL configuration.
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL.
Run the ip access-group acl-id { in | out } command in global configuration mode to enable the global security ACL.
By default, no exclusive interface is configured for the global security ACL on a device.
Run the no global ip access-group command in interface configuration to disable the global security ACL on a specified
interface.
Working Principle
The security channel is also an ACL, and can be configured globally or for a specified interface. When arriving at an interface,
packets are check on the security channel. If meeting the matching conditions of the security channel, packets directly enters
a switch without undergoing the access control, such as port security, Web authentication, 802.1x, and IP+MAC binding
check. A globally applied security channel takes effect on all interfaces except exclusive interfaces.
The deny ACEs in an ACL that is applied to a security channel do not take effect. In addition, this ACL does not contain
an implicit "deny all traffic" rule statement at the end of the ACL. If packets do not meet matching conditions of the
security channel, they are checked according to the access control rules in compliance with the relevant process.
You can configure up to eight exclusive interfaces for the global security channel. In addition, you cannot configure
interface-based security channel on these exclusive interfaces.
If a security channel is applied to an interface while a global security channel exists, this global security channel does
not take effect on this interface.
Configuration Guide Configuring the ACL
If both port-based migratable authentication mode and security channel are applied to an interface, the security channel
does not take effect.
Related Configuration
Configuring an ACL
Before configuring the security channel, configure an ACL. For details about how to configure an ACL, see the earlier
descriptions about ACL configuration.
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, or expert
extended ACL.
Run the security access-group {acl-id | acl-name } command in interface configuration mode to configure the security
channel on an interface.
Run the security global access-group {acl-id | acl-name } command in global configuration mode to configure a global
security channel.
By default, no exclusive interface is configured for the global security channel on a device.
Run the security uplink enable command in interface configuration mode to configure a specified interface as the exclusive
interface of the global security channel.
Working Principle
By default, the SVI router ACL function is disabled, and an SVI ACL takes effect on L3 packets forwarded between VLANs
and L2 packets forwarded within a VLAN. After the SVI router ACL function is enabled, the SVI ACL takes effect only on L3
packets forwarded between VLANs.
Configuration Guide Configuring the ACL
Related Configuration
Configuring an ACL
Before configuring the SVI router ACL, configure and apply an ACL. For details about how to configure an ACL, see the
earlier descriptions about ACL configuration.
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert
extended ACL, or IPv6 ACL.
Applying an ACL
For details about how to apply an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert extended
ACL, or IPv6 ACL. Apply the ACL in SVI configuration mode.
Run the svi router-acls enable command in global configuration mode to enable the SVI router ACL so that the ACL that is
applied to an SVI takes effect only on packets forwarded at L3, and not on packets forwarded at L2 within a VLAN.
Working Principle
To better learn the running status of ACLs on a device, you can determine whether to specify the ACL logging option as
required when adding ACEs. If this option is specified, logs are output when packets matching ACEs are found. ACL logs are
displayed based on ACEs. That is, the device periodically displays ACEs with matched packets and the number of matched
packets. An example of the log is as follows:
*Sep 9 16:23:06: %ACL-6-MATCH: ACL 100 ACE 10 permit icmp any any, match 78 packets.
To control the amount of logs and output frequency, you can configure the log update interval.
An ACE containing the ACL logging option consumes more hardware resources. If all configured ACEs contain this
option, the ACE capacity of a device will be reduced by half.
By default, the log update interval is 0, that is, no log is output. After the ACL logging option is specified in an ACE, you
need to configure the log update interval to output related logs; otherwise, logs are not output.
For an ACE containing the ACL logging option, if no packet is matched in the specified interval, no packet matching log
related to this ACE will be output. If matched packets are found in the specified interval, packet matching logs related to
this ACE will be output when the interval expires. The number of matched packets is the total number of packets that
match the ACE during the specified interval, that is, the period from the previous log output to the current log output.
Configuration Guide Configuring the ACL
You can configure the ACL logging option only for an IP ACL or an IPv6 ACL.
Related Configuration
Configuring an ACL
Configure an ACL before configuring ACEs containing the ACL logging option. For details about how to configure an ACL,
see the earlier descriptions about ACL configuration.
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL and IPv6 ACL. Note that the
ACL logging option must be configured.
Run the {ip | ipv6} access-list log-update inerval time command in the configuration mode to configure the interval at
which the ACL logs are output.
Applying an ACL
For details about how to apply an ACL, see the earlier descriptions about the IP ACL and IPv6 ACL.
Working Principle
To implement network management, users may want to know whether an ACE has any matched packets and how many
packets are matched.ACLs provide the ACE-based packet matching counters. You can enable or disable packet matching
counters for all ACEs in an ACL. When a packet matches the ACE, the corresponding counter increments by 1. You can run
the clear counters access-list [ acl-id | acl-name ] command to reset counters of all ACEs in an ACL for a new round of
statistics.
Enabling ACL counters requires more hardware entries. In an extreme case, this will reduce by half the number of
ACEs that can be configured on a device.
You can enable packet matching counters on an IP ACL, MAC ACL, expert ACL, or IPv6 ACL.
Related Configuration
Configuring an ACL
Configure an ACL before configuring ACEs containing the ACL logging option. For details about how to configure an ACL,
see the earlier descriptions about ACL configuration.
Configuration Guide Configuring the ACL
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL and IPv6 ACL. Note that the
ACL logging option must be configured.
To enable packet matching counters on an IP ACL, MAC ACL, or expert ACL, run the {mac | expert | ip} access-list
counter { acl-id | acl-name } command in global configuration mode.
To enable packet matching counters on an IPv6 ACL, run the ipv6 access-list counter acl-name command in global
configuration mode.
Applying an ACL
For details about how to apply an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert extended
ACL, or IPv6 ACL.
Run the clear countersaccess-list [acl-id | acl-name ] command in privileged EXEC mode to reset packet matching
counters.
Working Principle
IP packets may be fragmented when transmitted on the network. When fragmentation occurs, only the first fragment of the
packet contains the L4 information, such as the TCP/UDP port number, ICMP type, and ICMP code, and other fragmented
packets do not contain the L4 information. By default, if an ACE contains the fragment flag, fragmented packets except the
first fragments are filtered. If an ACE does not contain the fragment flag, all fragmented packets (including the first fragments)
are filtered. In addition to this default fragmented packet matching mode, a new fragmented packet matching mode is
provided. You can switch between the two fragmented packet matching modes as required on a specified ACL. In the new
fragmented packet matching mode, if an ACE does not contain the fragment flag and packets are fragmented, the first
fragments are compared with all the matching fields (including L3 and L4 information) defined in the ACE, and other
fragmented packets are compared with only the non-L4 information defined in the ACE.
In the new fragmented packet matching mode, if an ACE does not contain the fragment flag and the action is Permit,
this type of ACE occupies more hardware entries. In an extreme case, this will reduce by half the number of hardware
entries. If Established is configured for filter the TCP flag in an ACE, more hardware entries will be occupied.
The ACL will be temporarily ineffective during switchover of the fragmented packet matching mode.
In the new fragmented packet matching mode, if an ACE does not contain the fragment flag, the L4 information of
packets needs to be compared, and the action is Permit, the ACE checks the L3 and L4 information of the first
fragments of packets, and checks only the L3 information of other fragmented packets. If the action is Deny, the ACE
checks only the first fragments of packets, and ignores other fragmented packets.
Configuration Guide Configuring the ACL
In the new fragmented packet matching mode, if an ACE contains the fragment flag, the ACE checks only fragmented
packets but not the first fragments of packets no matter whether the action in the ACE is Permit or Deny.
Only the IP extended ACL and the expert extended ACL support switching between the two fragmented packet
matching modes.
Related Configuration
Configuring an ACL
For details about how to configure an ACL, see the earlier descriptions about the IP ACL and expert extended ACL.
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL and expert extended ACL. Note
that the fragment option must be added.
Run the [ no ] {ip | expert} access-list new-fragment-mode { acl-id | acl-name } command in global configuration mode to
switch the fragmented packet matching mode.
Applying an ACL
For details about how to apply an ACL, see the earlier descriptions about the IP ACL and expert extended ACL.
1.4 Configuration
Configuring ACL Redirection (Optional) It is used to redirect packets meeting the rules to a specified interface.
Configuring a Security (Optional) It is used to enable packets meeting some characteristics to bypass the
Channel checks of access control applications, such as the DOT1X and Web authentication.
Configuring Comments for (Optional) It is used to configure comments for an ACL or ACE so that users can easily
ACLs identify the functions of the ACL or ACE.
Configure and apply an IP ACL to an interface to control all incoming and outgoing IPv4 packets of this interface. You can
permit or deny the entry of specific IPv4 packets to a network to control access of IP users to network resources.
Notes
N/A
Configuration Steps
Configuring an IP ACL
(Mandatory) Configure an IP ACL if you want to control access of IPv4 users to network resources.
You can configure this ACL on an access, an aggregate, or a core device based on the distribution of users. The IP
ACL takes effect only on the local device, and does not affect other devices on the network.
(Optional) An ACL may contain zero or multiple ACEs. If no ACE is configured, all incoming IPv4 packets of the device
are denied by default.
Applying an IP ACL
(Mandatory) Apply an IP ACL to a specified interface if you want this ACL take effect.
You can apply an IP ACL on a specified interface of an access, an aggregate, or a core device based on the distribution
of users.
Verification
Use the following methods to verify the configuration effects of the IP ACL:
Configuration Guide Configuring the ACL
Run the ping command to verify that the IP ACL takes effect on the specified interface. For example, if an IP ACL is
configured to prohibit a host with a specified IP address or hosts in a specified IP address range from accessing the
network, run the ping command to verify that the host(s) cannot be successfully pinged.
Access related network resources to verify that the IP ACL takes effect on the specified interface. For example, access
the Internet or access the FTP resources on the network through FTP.
Related Commands
Configuring an IP ACL
Command [ sn ] { permit | deny } {host source | any | source source-wildcard } [ time-range time-range-name ] [ log ]
Parameter sn: Indicates the sequence number of an ACE. The value ranges from 1 to 2,147,483,647. This sequence
Description number determines the priority of this ACE in the ACL. A smaller sequence number indicates a higher
priority. An ACE with a higher priority will be preferentially used to match packets. If you do not specify the
sequence number when adding an ACE, the system automatically allocates a sequence number, which is
equal to an increment (10 by default) plus the sequence number of the last ACE in the current ACL. For
example, if the sequence number of the last ACE is 100, the sequence number of a newly-added ACE will
be 110 by default. You can adjust the increment using a command.
permit: Indicates that the ACE is a permit ACE.
deny: Indicates that the ACE is a deny ACE.
host source: Indicates that IP packets sent from a host with the specified source IP address are filtered.
Configuration Guide Configuring the ACL
any: Indicates that IP packets sent from any host are filtered.
source source-wildcard: Indicates that IP packets sent from hosts in the specified IP network segment are
filtered.
time-range time-range-name: Indicates that this ACE is associated with a time range. The ACE takes effect
only within this time range. For details about the time range, see the configuration manual of the time range.
log: Indicates that logs will be periodically output if packets matching the ACEs are found. For details about
logs, see "ACL Logging" in this document.
Command Standard IP ACL configuration mode
Mode
Usage Guide Run this command to add ACEs in standard IP ACL configuration mode. The ACL can be a named or
numbered ACL.
Command access-list acl-id { permit | deny } {host source | any | source source-wildcard } [ time-range
tm-rng-name ] [ log ]
Parameter acl-id: Indicates the ID of a numbered ACL. It uniquely identifies an ACL. The value range of acl-id is
Description 100–199 and 1300–1999.
permit: Indicates that the ACE is a permit ACE.
deny: Indicates that the ACE is a deny ACE.
host source: Indicates that IP packets sent from a host with the specified source IP address are filtered.
any: Indicates that IP packets sent from any host are filtered.
source source-wildcard: Indicates that IP packets sent from hosts in the specified IP network segment are
filtered.
time-range time-range-name: Indicates that this ACE is associated with a time range. The ACE takes effect
only within this time range. For details about the time range, see the configuration manual of the time range.
log: Indicates that logs will be periodically output if packets matching the ACEs are found. For details about
logs, see "ACL Logging" in this document.
Command Standard IP ACL configuration mode
Mode
Usage Guide Run this command to add ACEs to a numbered IP ACL in global configuration mode.It cannot be used to
add ACEs to a named IP ACL.
Command [ sn ] { permit | deny } protocol {host source | any | source source-wildcard } {host destination | any |
destination destination-wildcard } [ [ precedence precedence [ tos tos ] ] | dscp dscp] [ fragment ]
[ time-range time-range-name ] [ log ]
Parameter sn: Indicates the sequence number of an ACE. The value ranges from 1 to 2,147,483,647. This sequence
Description number determines the priority of this ACE in the ACL. A smaller sequence number indicates a higher
priority. An ACE with a higher priority will be preferentially used to match packets. If you do not specify the
sequence number when adding an ACE, the system automatically allocates a sequence number, which is
Configuration Guide Configuring the ACL
equal to an increment (10 by default) plus the sequence number of the last ACE in the current ACL. For
example, if the sequence number of the last ACE is 100, the sequence number of a newly-added ACE will
be 110 by default. You can adjust the increment using a command.
permit: Indicates that the ACE is a permit ACE.
deny: Indicates that the ACE is a deny ACE.
protocol: Indicates the IP protocol number. The value ranges from 0 to 255. To facilitate the use, the system
provides frequently-used abbreviations to replace the specific IP protocol numbers, including eigrp, gre,
icmp, igmp, ip, ipinip, nos, ospf, tcp, and udp.
host source: Indicates that IP packets sent from a host with the specified source IP address are filtered.
source source-wildcard: Indicates that IP packets sent from hosts in the specified IP network segment are
filtered.
host destination: Indicates that IP packets sent to a host with the specified destination IP address are
filtered. If the any keyword is configured, IP packets sent to any host are filtered.
destination destination-wildcard: Indicates that IP packets sent to hosts in a specified IP network segment
are filtered.
any: Indicates that IP packets sent to or from any host are filtered.
precedence precedence: Indicates that IP packets with the specified precedence field in the header are
filtered.
tos tos: Indicates that IP packets with the specified the type of service (TOS) field in the header are filtered.
dscp dscp: Indicates that IP packets with the specified the dcsp field in the header are filtered.
fragment: Indicates that only fragmented IP packets except the first fragments are filtered.
time-range time-range-name: Indicates that this ACE is associated with a time range. The ACE takes effect
only within this time range. For details about the time range, see the configuration manual of the time range.
log: Indicates that logs will be periodically output if packets matching the ACEs are found. For details about
logs, see "ACL Logging" in this document.
Command Extended IP ACL configuration mode
Mode
Usage Guide Run this command to add ACEs in extended IP ACL configuration mode. The ACL can be a named or
numbered ACL.
Command access-list acl-id { permit | deny } protocol {host source | any | source source-wildcard } {host destination |
any | destination destination-wildcard } [ [ precedence precedence [ tos tos ] ] | dscp dscp] [ fragment ]
[ time-range time-range-name ] [ log ]
Parameter acl-id: Indicates the ID of a numbered ACL. It uniquely identifies an ACL. The value range of acl-id is
Description 100–199 and 2000–1999.
sn: Indicates the sequence number of an ACE. The value ranges from 1 to 2,147,483,647. This sequence
number determines the priority of this ACE in the ACL. A smaller sequence number indicates a higher
priority. An ACE with a higher priority will be preferentially used to match packets. If you do not specify the
sequence number when adding an ACE, the system automatically allocates a sequence number, which is
equal to an increment (10 by default) plus the sequence number of the last ACE in the current ACL. For
Configuration Guide Configuring the ACL
example, if the sequence number of the last ACE is 100, the sequence number of a newly-added ACE will
be 110 by default. You can adjust the increment using a command.
permit: Indicates that the ACE is a permit ACE.
deny: Indicates that the ACE is a deny ACE.
protocol: Indicates the IP protocol number. The value ranges from 0 to 255. To facilitate the use, the
system provides frequently-used abbreviations to replace the specific IP protocol numbers, including eigrp,
gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, and udp.
host source: Indicates that IP packets sent from a host with the specified source IP address are filtered.
source source-wildcard: Indicates that IP packets sent from hosts in the specified IP network segment are
filtered.
host destination: Indicates that IP packets sent to a host with the specified destination IP address are
filtered. If the any keyword is configured, IP packets sent to any host are filtered.
destination destination-wildcard: Indicates that IP packets sent to hosts in a specified IP network segment
are filtered.
any: Indicates that IP packets sent to or from any host are filtered.
precedence precedence: Indicates that IP packets with the specified precedence field in the header are
filtered.
tos tos: Indicates that IP packets with the specified the type of service (TOS) field in the header are filtered.
dscp dscp: Indicates that IP packets with the specified the dcsp field in the header are filtered.
fragment: Indicates that only fragmented IP packets except the first fragments are filtered.
time-range time-range-name: Indicates that this ACE is associated with a time range. The ACE takes effect
only within this time range. For details about the time range, see the configuration manual of the time range.
log: Indicates that logs will be periodically output if packets matching the ACEs are found. For details about
logs, see "ACL Logging" in this document.
Command Extended IP ACL configuration mode
Mode
Usage Guide Run this command to add ACEs to a numbered IP ACL in extended IP ACL configuration mode.It cannot be
used to add ACEs to a named extended IP ACL.
Applying an IP ACL
in: Indicates that this ACL controls incoming IP packets of the interface.
out: Indicates that this ACL controls outgoing IP packets of the interface.
Command Interface configuration mode
Mode
Usage Guide This command makes an IP ACL take effect on the incoming or outgoing packets of a specified interface.
Configuration Guide Configuring the ACL
Configuration Example
Configuring an IP ACL to Prohibit Departments Except the Financial Department from Accessing the Financial
Data Server
Scenario
Figure 1-3
sw1(config-std-nacl)#exit
Verification On a PC of the R&D department, ping the financial data server. Verify that the ping operation fails.
On a PC of the financial department, ping the financial data server. Verify that the ping operation
succeeds.
SW1
sw1(config)#show access-lists
ip access-list standard 1
sw1(config)#show access-group
ip access-group 1 out
Configure and apply an MAC extended ACL to an interface to control all incoming and outgoing IPv4 packets of this interface.
You can permit or deny the entry of specific L2 packets to a network to control access of users to network resources based
on L2 packets.
Notes
N/A
Configuration Steps
(Mandatory) Configure an MAC extended ACL if you want to control users' access to network resources based on the
L2 packet header, for example, the MAC address of each user's PC.
You can configure this ACL on an access, an aggregate, or a core device based on the distribution of users. The MAC
extended ACL takes effect only on the local device, and does not affect other devices on the network.
(Optional) An ACL may contain zero or multiple ACEs. If no ACE is configured, all incoming L2 Ethernet packets of the
device are denied by default.
(Mandatory) Apply an MAC extended ACL to a specified interface if you want this ACL take effect.
You can apply an MAC extended ACL on a specified interface of an access, an aggregate, or a core device based on
the distribution of users.
Verification
Use the following methods to verify the configuration effects of the MAC extended ACL:
If an MAC extended ACL is configured to permit or deny some IP packets, run the ping command to check whether
ACEs of this ACL takes effect on the specified interface. For example, an MAC extended ACL is configured to prevent a
device interface from receiving IP packets (Ethernet type is 0x0800), run the ping command for verification.
Configuration Guide Configuring the ACL
If an MAC extended ACL is configured to permit or deny some non-IP packets (e.g. ARP packets), also run the ping
command to check whether ACEs of this ACL takes effect on the specified interface. For example, to filter out ARP
packets, run the ping command for verification.
You can also construct L2 packets meeting some specified characteristics to check whether the MAC extended ACL
takes effect. Typically, prepare two PCs, construct and send L2 packets on one PC, enable packet capturing on another
PC, and check whether packets are forwarded as expected (forwarded or blocked) according to the action specified in
the ACEs.
Related Commands
Use either of the following methods to add ACEs to an MAC extended ACL:
Command [sn] { permit | deny } {any | host src-mac-addr | src-mac-addr mask} {any | host dst-mac-addr |
dst-mac-addr mask } [ethernet-type] [cos cos [inner cos ]] [ time-range tm-rng-name ]
Parameter sn: Indicates the sequence number of an ACE. The value ranges from 1 to 2,147,483,647. This sequence
Description number determines the priority of this ACE in the ACL. A smaller sequence number indicates a higher
priority. An ACE with a higher priority will be preferentially used to match packets. If you do not specify the
sequence number when adding an ACE, the system automatically allocates a sequence number, which is
equal to an increment (10 by default) plus the sequence number of the last ACE in the current ACL. For
example, if the sequence number of the last ACE is 100, the sequence number of a newly-added ACE will
be 110 by default. You can adjust the increment using a command.
permit: Indicates that the ACE is a permit ACE.
deny: Indicates that the ACE is a deny ACE.
any: Indicates that L2 packets sent from any host are filtered.
host src-mac-addr: Indicates that IP packets sent from a host with the specified source MAC address are
filtered.
Configuration Guide Configuring the ACL
Command access-list acl-id { permit | deny } {any | host src-mac-addr | src-mac-addr mask } {any | host
dst-mac-addr | dst-mac-addr mask } [ethernet-type] [cos cos [inner cos]] [ time-range tm-rng-name ]
Parameter acl-id: Indicates the ID of a numbered ACL. It uniquely identifies an ACL. The value range of acl-id is
Description 700–799.
permit: Indicates that the ACE is a permit ACE.
deny: Indicates that the ACE is a deny ACE.
host src-mac-addr: Indicates that IP packets sent from a host with the specified source MAC address are
filtered.
src-mac-addr mask: Indicates that the source MAC address is reversed.
any: Indicates that L2 packets sent to any host are filtered.
host dst-mac-addr: Indicates that IP packets sent to a host with the specified destination MAC address are
filtered.
dst-mac-addr mask: Indicates that the destination MAC address is reversed.
ethernet-type: Indicates that L2 packets of the specified Ethernet type are filtered.
cos cos: Indicates that L2 packets with the specified cos field in the outer tag are filtered.
inner cos: Indicates that L2 packets with the specified cos field in the inner tag are filtered.
time-range time-range-name: Indicates that this ACE is associated with a time range. The ACE takes effect
only within this time range. For details about the time range, see the configuration manual of the time range.
Command Global configuration mode
Mode
Usage Guide Run this command to add ACEs to a numbered MAC extended ACL in global configuration mode. It cannot
be used to add ACEs to a named MAC extended ACL.
Parameter acl-id: Indicates that a numbered MAC extended IP ACL will be applied to the interface.
Description acl-name: Indicates that a named MAC extended IP ACL will be applied to the interface.
in: Indicates that this ACL controls incoming L2 packets of the interface.
out: Indicates that this ACL controls outgoing L2 packets of the interface.
Command Interface configuration mode
Mode
Usage Guide This command makes an MAC extended ACL take effect on the incoming or outgoing packets of a specified
interface.
Configuration Example
Scenario
Figure 1-4
sw1(config-mac-nacl)#exit
Verification On a visitor's PC, ping the financial data server. Verify that the ping operation fails.
On a visitor's PC, ping the public resource server. Verify that the ping operation succeeds.
On a visitor's PC, access the Internet, for example, visit the Baidu website. Verify that the webpage can
be opened.
SW1
sw1(config)#show access-lists
sw1(config)#show access-group
Configure and apply an expert extended ACL to an interface to control incoming and outgoing packets of the interface based
on the L2 and L3 information, and allow or prohibit the entry of specific packets to the network. In addition, you can configure
an expert extended ACL to control all L2 packets based on the VLAN to permit or deny the access of users in some network
segments to network resources. Generally, you can use an expert extended ACL if you want to incorporate ACEs of the IP
ACL and MAC extended ACL into one ACL.
Configuration Steps
(Mandatory) Configure an expert extended ACL if you want to control users' access to network resources based on the
L2 packet header, for example, the VLAN ID.
You can configure this ACL on an access, an aggregate, or a core device based on the distribution of users. The expert
extended ACL takes effect only on the local device, and does not affect other devices on the network.
(Optional) An ACL may contain zero or multiple ACEs. If no ACE is configured, all incoming packets of the device are
denied by default.
(Mandatory) Apply an expert extended ACL to a specified interface if you want this ACL take effect.
You can apply an expert extended ACL in the incoming or outgoing direction of a specified interface of an access, an
aggregate, or a core device based on the distribution of users.
Configuration Guide Configuring the ACL
Verification
Use the following methods to verify the configuration effects of the expert extended ACL:
If IP-based access rules are configured in an expert extended ACL to permit or deny some IP packets, run the ping
command to verify whether these rules take effect.
If MAC-based access rules are configured in an expert extended ACL to permit or deny some L2 packets (e.g. ARP
packets), also run the ping command to check whether ACEs of this ACL takes effect on the specified interface. For
example, to filter out ARP packets, run the ping command for verification.
If VLAN ID-based access rules are configured in an expert extended ACL to permit or deny some L2 packets in some
network segments (e.g., to prevent communication between VLAN 1 users and VLAN 2 users), ping PCs of VLAN 2 on
a PC of VLAN 1. If the ping operation fails, the rules take effect.
Related Commands
Use either of the following methods to add ACEs to an expert extended ACL:
Command [sn] { permit | deny } [ protocol | [ ethernet-type ] [ cos [ out ] [ inner in ] ] ] [ [ VID [ out ] [ inner in ] ] ]
{ source source-wildcard | host source | any } { host source-mac-address | any } { destination
destination-wildcard | host destination | any } { host destination-mac-address | any } [ precedence
precedence ] [ tos tos ] [ fragment ] [ range lower upper ] [ time-range time-range-name ]]
Parameter sn: Indicates the sequence number of an ACE. The value ranges from 1 to 2,147,483,647. This sequence
Description number determines the priority of this ACE in the ACL. A smaller sequence number indicates a higher
priority. An ACE with a higher priority will be preferentially used to match packets. If you do not specify the
sequence number when adding an ACE, the system automatically allocates a sequence number, which is
equal to an increment (10 by default) plus the sequence number of the last ACE in the current ACL. For
example, if the sequence number of the last ACE is 100, the sequence number of a newly-added ACE will
be 110 by default. You can adjust the increment using a command.
Configuration Guide Configuring the ACL
Command access-list acl-id { permit | deny } [ protocol | [ ethernet-type ] [ cos [ out ] [ inner in ] ] ] [ [ VID [ out ] [ inner
in ] ] ] { source source-wildcard | host source | any } { host source-mac-address | any } { destination
destination-wildcard | host destination | any } { host destination-mac-address | any } [ precedence
Configuration Guide Configuring the ACL
Configuration Example
Configuring an Expert Extended ACL to Restrict Resources Accessible by Visitors (It is required that visitors
and employees cannot communicate with each other, visitors can access the public resource server but not
the financial data server of the company.)
Scenario
Figure 1-5
sw1(config-exp-nacl)#exit
Verification On a visitor's PC, ping the financial data server. Verify that the ping operation fails.
On a visitor's PC, ping the public resource server. Verify that the ping operation succeeds.
On a visitor's PC, ping the gateway address 192.168.1.1 of an employee. Verify that the ping operation
fails.
On a visitor's PC, access the Internet, for example, visit the Baidu website. Verify that the webpage can
be opened.
SW1
sw1(config)#show access-lists
sw1(config)#show access-group
Configure and apply an IPv6 ACL to an interface to control all incoming and outgoing IPv5 packets of this interface. You can
permit or deny the entry of specific IPv6 packets to a network to control access of IPv6 users to network resources.
Configuration Steps
(Mandatory) Configure an IP ACL if you want to access of IPv4 users to network resources.
You can configure this ACL on an access, an aggregate, or a core device based on the distribution of users. The IPv6
ACL takes effect only on the local device, and does not affect other devices on the network.
(Optional) An ACL may contain zero or multiple ACEs. If no ACE is configured, all incoming IPv6 packets of the device
are denied by default.
(Mandatory) Apply an IPv6 ACL to a specified interface on a device if you want this ACL take effect.
You can apply an IPv6 ACL on a specified interface of an access, an aggregate, or a core device based on the
distribution of users.
Verification
Use the following methods to verify the configuration effects of the IPv6 ACL:
Run the ping command to verify that the IPv6 ACL takes effect on the specified interface. For example, if an IPv6 ACL
is configured to prohibit a host with a specified IP address or hosts in a specified IPv6 address range from accessing the
network, run the ping command to verify that the host(s) cannot be successfully pinged.
Access network resources, for example, visit an IPv6 website, to check whether the IPv6 ACL takes effect on the
specified interface.
Related Commands
Command [sn] {permit | deny } protocol {src-ipv6-prefix/prefix-len | host src-ipv6-addr | any} {dst-ipv6-pfix/pfix-len |
host dst-ipv6-addr | any} [op dstport | range lower upper ] [dscp dscp] [flow-label flow-label] [fragment]
[time-rangetm-rng-name][log]
Parameter sn: Indicates the sequence number of an ACE. The value ranges from 1 to 2,147,483,647. This sequence
Description number determines the priority of this ACE in the ACL. A smaller sequence number indicates a higher
priority. An ACE with a higher priority will be preferentially used to match packets. If you do not specify the
sequence number when adding an ACE, the system automatically allocates a sequence number, which is
equal to an increment (10 by default) plus the sequence number of the last ACE in the current ACL. For
example, if the sequence number of the last ACE is 100, the sequence number of a newly-added ACE will
be 110 by default. You can adjust the increment using a command.
permit: Indicates that the ACE is a permit ACE.
deny: Indicates that the ACE is a deny ACE.
Configuration Guide Configuring the ACL
protocol: Indicates the IPv6 protocol number. The value ranges from 0 to 255. To facilitate the use, the
system provides frequently-used abbreviations of IPv6 protocol numbers to replace the specific IP protocol
numbers, including icmp, ipv6, tcp, and udp.
src-ipv6-prefix/prefix-len: Indicates that IP packets sent from hosts in the specified IPv6 network segment
are filtered.
host src-ipv6-addr: Indicates that IPv6 packets sent from a host with the specified source IP address are
filtered.
any: Indicates that IPv6 packets sent from any host are filtered.
dst-ipv6-pfix/pfix-len: Indicates that IPv6 packets sent from hosts in the specified IPv6 network segment are
filtered.
host dst-ipv6-addr: Indicates that IPv6 packets sent to a host with the specified destination IP address are
filtered.
any: Indicates that IPv6 packets sent to any host are filtered.
op dstport: Indicates that TCP or UDP packets are filtered based on the L4 destination port number. The
value of the op parameter can be eq (equal to), neq (not equal to), gt (greater than), or lt (smaller than).
range lower upper: Indicates that TCP or UDP packets with the L4 destination port number in the specified
range are filtered.
dscp dscp: Indicates that IPv6 packets with the specified the dcsp field in the header are filtered.
flow-label flow-label: Indicates that IPv6 packets with the specified the flow label field in the header are
filtered.
fragment: Indicates that only fragmented IPv6 packets except the first fragments are filtered.
time-range time-range-name: Indicates that this ACE is associated with a time range. The ACE takes effect
only within this time range. For details about the time range, see the configuration manual of the time range.
log: Indicates that logs will be periodically output if packets matching the ACEs are found. For details about
logs, see "ACL Logging" in this document.
Command IPv6 ACL configuration mode
Mode
Usage Guide Run this command to add ACEs in IPv6 ACL configuration mode.
To filter IPv6 packets except for the TCP or UDP packets, add ACEs to an IPv6 ACL as follows:
Configuration Example
Configuring an IPv6 ACL to Prohibit the R&D Department from Accessing the Video Server
Configuration Guide Configuring the ACL
Scenario
Figure 1-6
sw1(config-ipv6-nacl)#exit
Verification On a PC of the R&D department, ping the video server. Verify that the ping operation fails.
SW1
sw1(config)#show access-lists
sw1(config)#show access-group
Configure the ACL redirection function on a specified interface to directly redirect specified packets on the interface to a
specified port for further forwarding.
Configuration Steps
Configuring an ACL
(Mandatory) To implement ACL redirection, you must first configure an ACL, for example, an IP, MAC extended, or
expert extended ACL. For details about how to configure an ACL, see the related descriptions.
You can configure this ACL on an access, an aggregate, or a core device based on the distribution of users. The IPv6
ACL takes effect only on the local device, and does not affect other devices on the network.
(Optional) An ACL may contain zero or multiple ACEs. If no ACE is configured, the ACL redirection function is not
available. For details about how to add an ACE to an ACL, see the related descriptions.
(Mandatory) Enable ACL redirection on a specified interface if you want to implement ACL redirection.
You can configure the ACL redirection function on a specified interface of an access, an aggregate, or a core device
based on the distribution of users.
Verification
Send packets matching ACEs on the port where ACL redirection is enabled, and then use the packet capturing software on
the destination port to check whether the ACL redirection function takes effect.
Related Commands
Configuring an ACL
For details about how to configure an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert
extended ACL, or IPv6 ACL.
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert
extended ACL, or IPv6 ACL.
Configuration Example
Enabling ACL Redirection to Redirect Packets Sent from the Host 10.1.1.1 to the Packet Capturing Device for
Analysis
Scenario
Figure 1-7
sw1(config-std-nacl)#exit
Verification Capture packets on PC 2. Ping the video server on PC 1. Verify that ICMP requests sent from PC 1 are
captured on PC 2.
SW1
sw1#show access-lists
ip access-list standard 1
Configuration Guide Configuring the ACL
Configure a global security ACL to prevent internal PCs of a company from accessing illegal websites or prevent virus from
attacking the company's internal network. You can also configure exclusive interfaces to allow specified departments of the
company to access external websites.
Configuration Steps
Configuring an ACL
(Mandatory) Configure an ACL if you want to protect the internal network globally. For details about the configuration
method, see the earlier descriptions about the ACL.
You can configure this ACL on an access, an aggregate, or a core device based on the distribution of users. The
configurations take effect only on the local device, and do not affect other devices on the network.
(Optional) An ACL may contain zero or multiple ACEs. If no ACE is configured, it is equivalent that the global security
ACL does not exist. For details about how to add an ACE to an ACL, see the related descriptions.
(Mandatory) Enable the global security function if you want to make the global security ACL take effect.
You can configure a global security ACL on an access, an aggregate, or a core device based on the distribution of
users.
Verification
On the internal network protected by the global security ACL, ping the website or device that are denied by ACEs to check
whether the global security ACL takes effect.
Related Commands
Configuring an ACL
For details about the configuration method, see the earlier descriptions about the ACL.
For details about the configuration method, see the earlier descriptions about the ACL.
Configuration Guide Configuring the ACL
Configuration Example
Configuring a Global Security ACL to Prevent the R&D Department From Accessing the Server of the Sales
Department but Allow the Sales Department to Access This Server
Scenario
Figure 1-8
Steps Add the ACE that prevents the device to forward packets to the destination host 10.1.1.3/24.
Configure the ACL "ip_ext_deny_dst_sale_server" as a global security ACL.
Configure the interface directly connected to the sales department as the exclusive interface of the
global security ACL.
SW1
sw1(config)#ip access-list extended ip_ext_deny_dst_sale_server
sw1(config-ext-nacl)#exit
Verification On a PC of the sales department, ping the server of the sales department. Verify that the ping
operation succeeds.
On the PCs of R&D department 1 and R&D department 2, ping the server of the sales department.
Verify that the ping operations fail.
sw1#show access-lists
sw1#show running
……
ip access-group ip_ext_deny_dst_sale_server in
no global ip access-group
!
Configuration Guide Configuring the ACL
……
Configure a security channel to enable packets meeting the security channel rules to bypass the checks of access control
applications. Configure the security channel if an access control application (such as DOT1X) is enabled on an uplink
interface of a user, but the user should be allowed to log in to a website to download some resources (for example,
downloading the Ruijie SU client) before the DOT1X authentication.
Configuration Steps
Configuring an ACL
(Mandatory) Configure an ACL before configuring the security channel. For details about the configuration method, see
the earlier descriptions.
You can configure this ACL on an access, an aggregate, or a core device based on the distribution of users. The
configurations take effect only on the local device, and do not affect other devices on the network.
(Optional) An ACL may contain zero or multiple ACEs. If no ACE is configured for an ACL, it is equivalent that the
security channel does not take effect. For details about how to add an ACE to an ACL, see the related descriptions.
Configure a security channel on an interface if you want this security channel to take effect on the interface. Configure a
global security channel if you want this security channel to take effect globally. You must configure either the
interface-based security channel or the global security channel.
You can configure a security channel on an access, an aggregate, or a core device based on the distribution of users.
(Optional) Configure an interface as the exclusive interface for the global security channel if you do not want the global
security channel to take effect on this interface.
(Optional) You can enable the DOT1X or Web authentication function to verify the security channel function.
You can configure the access control function on an access, an aggregate, or a core device based on the distribution of
users.
Verification
On a PC that is subject to the control of an access control application, ping the resources (devices or servers) that are
allowed to bypass the check of the access control application to verify the configuration of the security channel.
Configuration Guide Configuring the ACL
Related Commands
Configuring an ACL
For details about how to configure an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert
extended ACL, or IPv6 ACL.
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert
extended ACL, or IPv6 ACL.
Configuration Example
Enabling DOT1X Authentication and Configuring a Security Channel to Allow Users to Download the SU
Software From the Server Before Authentication
Scenario
Figure 1-9
Verification On a PC of the sales department, ping the server of the sales department. Verify that the ping
operation succeeds.
On the PCs of R&D department 1 and R&D department 2, ping the server of the sales department.
Verify that the ping operations fail.
sw1#show access-lists
Building configuration...
Configure the time range-based ACEs if you want some ACEs to take effect or to become invalid in a specified period of time,
for example, in some time ranges during a week.
Configuration Steps
Configuring an ACL
(Mandatory) Configure an ACL if you want ACEs to take effect in the specified time range. For details about the
configuration method, see the earlier descriptions.
You can configure this ACL on an access, an aggregate, or a core device based on the distribution of users. The
configurations take effect only on the local device, and do not affect other devices on the network.
(Mandatory) Specify the time range when adding an ACE. For details about how to configure the time range, see the
configuration manual related to the time range.
Applying an ACL
(Mandatory) Apply the ACL to a specified interface if you want to make ACEs take effect in the specified time range.
You can apply an IP ACL on a specified interface of an access, an aggregate, or a core device based on the distribution
of users.
Verification
In the time range that the configured ACE takes effect or becomes invalid, run the ping command or construct packets
matching the ACE to check whether the ACE takes effect or becomes invalid.
Configuration Guide Configuring the ACL
Related Commands
Configuring an ACL
For details about the ACL configuration commands, see the earlier descriptions about the IP ACL, MAC extended ACL,
expert extended ACL, or IPv6 ACL.
For details about the ACE configuration commands, see the earlier descriptions about the IP ACL, MAC extended ACL,
expert extended ACL, or IPv6 ACL.
Applying an ACL
For details about the command for applying an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL,
expert extended ACL, or IPv6 ACL.
Configuration Example
Adding an ACE With the Time Range Specified to Allow the R&D Department to Access the Internet Between
12:00 and 13:30 Every Day
Scenario
Figure 1-10
Configuration Configure a time range named "access-internet", and add an entry of the time range between 12:00
Steps and 13:30 every day.
Configure an IP ACL "ip_std_internet_acl".
Add an ACE to allow packets with the source IP address in the network segment 10.1.1.0/24, and
associate this ACE with the time zone "access-internet".
Add an ACE to deny packets with the source IP address the network segment 10.1.1.0/24. Access to
the Internet is not allowed except in the specified time range.
Add an ACE to permit all packets.
Configuration Guide Configuring the ACL
Apply the ACL to the outgoing direction of the interface connected to the breakout gateway.
SW1
Ruijie(config)# time-range access-internet
Ruijie(config-time-range)# exit
sw1(config-std-nacl)# exit
Verification Within the time range between 12:00 and 13:30, visit the Baidu website on a PC of the R&D
department. Verify that the website can be opened normally.
Beyond the time range between 12:00 and 13:30, visit the Baidu website on a PC of the R&D
department. Verify that the website cannot be opened.
SW1
sw1#show time-range
sw1#show access-lists
30 permit any
sw1#show access-group
During network maintenance, if a lot of ACLs are configured without any comments, it is difficult to distinguish these ACLs
later on. You can configure comments for ACLs to better understand the intended use of ACLs.
Configuration Steps
Configuring an ACL
(Mandatory) Configure an ACL before configuring the security channel. For details about the configuration method, see
the earlier descriptions.
You can configure this ACL on an access, an aggregate, or a core device based on the distribution of users. The
configurations take effect only on the local device, and do not affect other devices on the network.
(Optional) Configure comments for ACLs so that it is easy to manage and understand the configured ACLs.
(Optional) An ACL may contain zero or multiple ACEs. If no ACE is configured, it is equivalent that the security channel
does not take effect. For details about how to add an ACE to an ACL, see the related descriptions.
(Optional) To facilitate understanding of a configured ACL, you can configure comments for ACEs in addition to
comments for the ACL.
Verification
Run the show access-lists command on the device to display the comments configured for ACLs.
Related Commands
Configuring an ACL
For details about how to configure an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert
extended ACL, or IPv6 ACL.
Use either of the following two methods to configure a comment for an ACL:
Mode
Usage Guide Run this command to configure the comment for a specified ACL.
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert
extended ACL, or IPv6 ACL.
Use either of the following two methods to configure a comment for an ACE:
1.5 Monitoring
Clearing
Description Command
Clears the ACL packet matching
clear counters access-list [ acl-id | acl-name ]
counters.
Clears the counters of packets
clear access-list counters [acl-id |acl-name ]
matching the deny ACEs.
Displaying
Description Command
Displays the basic ACLs. show access-lists [ acl-id | acl-ame ] [summary]
Displays the redirection ACEs bound to a specified
interface. If the interface is not specified, redirection ACEs show redirect [ interface interface-name ]
bound to all interfaces are displayed.
Displays the ACL configurations applied to an interface. show access-group [interface interface-name ]
Displays the IP ACL configurations applied to an interface. show ip access-group [interface interface-name ]
Displays the MAC extended ACL configurations applied to
show mac access-group [interface interface-name ]
an interface.
Displays the expert extended ACL configurations applied to
show expert access-group [interface interface-name ]
an interface.
Displays the IPv6 ACL configurations applied to an
show ipv6 traffic-filter [interface interface-name ]
interface.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs the ACL running process. debug acl acld event
Debugs the ACL clients. debug acl acld client-show
Debugs the ACLs created by all ACL
debug acl acld acl-show
clients.
Configuration Guide Configuring QoS
2 Configuring QoS
2.1 Overview
Quality of Service (QoS) indicates that a network can provide a good service capability for specified network communication
by using various infrastructure technologies.
When the network bandwidth is sufficient, all data streams can be properly processed; when network congestion occurs, all
data streams may be discarded. To meet users' requirements for different applications and different levels of service quality,
a network must be able to allocate and schedule resources based on users' requirements and provide different levels of
service quality for different data streams. To be specific, the network can process real-time and important data packets in
higher priorities, and process non-real-time and common data packets in lower priorities and even discard the data packets
upon network congestion.
The "doing the best" forwarding mechanism used by traditional networks cannot meet the requirements any longer and then
QoS comes into being. QoS-enabled devices provide transmission QoS quality service. A transmission priority can be
assigned to data streams of a type to identify the importance of the data streams. Then, the devices provide forwarding
policies for different priorities, congestion mitigation and other mechanisms to provide special transmission services for these
data streams. A network environment configured with QoS can provide predictability for network performance,
effectively allocate network bandwidth, and reasonably utilize network resources.
2.2 Applications
Application Description
Interface Rate Limit + Priority Based on different service requirements for a campus network, provide rate control
Relabeling and priority-based processing for outgoing traffic of the teaching building, laboratories
and dormitory building.
Priority Relabeling + Queue Provide priority-based processing and bandwidth control for traffic of internal access
Scheduling to servers of an enterprise.
To meet the service requirements of normal teaching, a school puts forwards the following requirements:
Control the Internet access traffic under 100M and discard packets out of control.
Control the outgoing traffic of the dormitory building under 50M and discard packets out of control.
Configuration Guide Configuring QoS
Control the rate of packets with DSCP priority 7 sent from laboratories under 20M, and change the DSCP priorities of
these packets whose rates exceed 20M to 16.
Control the outgoing traffic of the teaching building under 30M and discard packets out of control.
Figure 2-1
Remarks A school connects GigabitEthernet 0/24 of Switch A to the Internet in the uplink and connects GigabitEthernet 0/1,
GigabitEthernet 0/2 and GigabitEthernet 0/3 of Switch A to the teaching building, laboratory and dormitory
building in the downlink respectively.
Deployment
Configure the QoS interface rate limit for the interface G0/24 of Switch A for connecting the Internet.
Configure the QoS rate limit for packets sent from the dormitory building on Switch A.
Set the rate limit for packets with the DSCP priority 7 sent from the laboratory to 20M and relabel the DSCP priority of
packets out of the rate limit to 16.
Configure the QoS rate limit for packets sent from the teaching building on Switch A.
Configure priority relabeling and queue scheduling to meet the following requirements:
When the R&D department and market department access servers, the priorities of the server packets are as follows:
mail server > file server > salary query server.
No matter when the HR management department accesses the Internet or servers, the switch processes the
corresponding packets in the highest priority.
Since network congestion often occurs in switch running, in order to ensure smooth business operation, WRR queue
scheduling must be used to schedule IP packets for the R&D and market departments to access the mail database, file
database, and salary query database based on the ratio of 6:2:1.
Configuration Guide Configuring QoS
Figure 2-2
Remarks The R&D, market and HR management departments access the interfaces GigabitEthernet 0/1, GigabitEthernet
0/2 and GigabitEthernet 0/3 of Switch A respectively. The salary query server, mail server and file server are
connected to GigabitEthernet 0/23 of Switch A.
Deployment
Configure the CoS values of data streams for accessing different servers to ensure that the switch processes packets
for different servers in different priorities.
Set the default CoS value of the interface to a specific value to ensure that the switch processes packets sent by the HR
management department in the highest priority.
Configure WRR queue scheduling to ensure that data packets are transmitted in a specific quantity ratio.
2.3 Features
Basic Concept
DiffServ
The Differentiated Services (DiffServ) Mode is an IETF system based on which QoS is implemented in Ruijie products. The
DiffServ system classifies all packets transmitted in a network into different types. The classification information is included in
layer-2/3 packet headers, including 802.1P, IP and IP DSCP priorities.
In a DiffServ-compliant network, all devices apply the same transmission service policy to packets containing the same
classification information and apply different transmission service policies to packets containing different classification
information. Classification information of packets is either assigned by hosts or other devices in the network or assigned
based on different application policies or different packet contents. Based on the classification information carried by packets,
a device may provide different transmission priorities for different packet streams, reserve bandwidth for a kind of packet
streams, discard certain packets with lower priorities, or take some other actions.
Configuration Guide Configuring QoS
802.1P(PRI) priority
The 802.1 P priority is located at the header of a layer-2 packet with the 802.1Q header, and is used in scenarios where
layer-3 headers do not need to be analyzed and QoS needs to be implemented at layer 2. Figure 2-3 shows the structure of a
layer-2 packet.
Figure 2-3
As shown in Figure 2-3, the 4-byte 802.1Q header contains 2-byte Tag ProtocolIdentifier (TPID) whose value is 0x8100 and
2-byte Tag ControlInformation (TCI). The first three bits of the TCI indicate the 802.1P priority.
The priorities of IP packets are identified by the IP PRE and DSCP priority. The Type Of Service (ToS) field of the IPv4
header comprises 8 bits; where the first three bits indicate the IP precedence (IP PRE), ranging from 0 to 7. RFC 2474
redefines the ToS field of the IPv4 header, which is called the Differentiated Services (DS) field. The Differentiated Services
Code Point (DSCP) priority is identified by the first 6 bits (bits 0 to 5) of the DS field, and by the first 6 bits of the Traffic Class
field in the IPv6 header. Figure 2-4 shows the locations of the IP PRE and DSCP priorities in IPv4/IPv6 packets.
Figure 2-4
CoS
Class of Service (COS). Ruijie products convert packet priorities into CoS values to identity the local priorities of the packets
and determine the input queue ID when packets are sent from the output interface.
Configuration Guide Configuring QoS
Overview
Feature Description
Stream Classification Stream classification uses certain rules to identify packets with same characteristics and is the
prerequisite and basis for distinguishing network services.
Priority Labeling and Label packet priorities with specified values and map the values to corresponding CoS values.
Mapping
Traffic Supervision Supervise the specification of traffic flowing into a network, limit the traffic within a reasonable range,
and discard the traffic out of the limit or modify the priority of the traffic.
Congestion Determine the sequence of data packets sent from an interface based on the priorities of the data
Management packets and ensure that key services can be processed in time when congestion occurs.
Working Principle
Stream classification rules can be matching the PRE or DSCP priorities of IP packets or classifying packets by identifying
packet content through an ACL. You can define the binding between multiple streams and stream behaviors by using
commands to form policies which can be applied to interfaces for stream classification and processing.
QoS policy
A QoS policy comprises three elements: class, stream behavior and policy.
Class
A class identifies streams and comprises the class name and class rules. You can define the class rules by using
commands to classify packets.
Stream behavior
Stream behaviors define the QoS actions taken for packets, including priority labeling and traffic supervision for
packets.
Policy
A policy binds a specific class and specific stream behaviors and comprises the policy name, names of the classes
bound, and stream behaviors. You can bind a specified class and stream behaviors by using a QoS policy and apply
the policy to one or more interfaces.
You can specify a series of interfaces as a QoS logical interface group (including both APs and Ethernet interfaces) and
associate polices with the logical interface group for QoS processing. Take rate limit for stream behaviors for example. For
packets that meet the rate limit conditions, all interfaces in the same logical interface group share the bandwidth specified by
the policy.
Related Configuration
Creating a class
You can run the class-map command to create a class and enter the class configuration mode.
Matching an ACL
In the class configuration mode, you can run the match acess-group command to define a class rule as matching an ACL.
You need to create ACL rules first.
In the class configuration mode, you can run the match ip precedence command to define a class rule as matching PRE
priorities of IP packets. The value range of IP PRE is 0 to 7.
In the class configuration mode, you can run the match ip dscp command to define a class rule as matching DSCP priorities
of IP packets. The value range of DHCP priorities is 0 to 63.
Creating a policy
You can run the policy-map command to create a policy and enter the policy configuration mode.
Associating a class
In the policy configuration mode, you can run the class command to associate a class and enter the policy-class
configuration mode.
In the policy-class configuration mode, you can run the set command to modify the CoS, DSCP or VID values of a specified
stream; where, the CoS value ranges from 0 to 7, the DSCP value ranges from 0 to 63 and the VID value ranges from 1 to
Configuration Guide Configuring QoS
4094. You can run the police command to limit the bandwidth and process streams out of the limit for specified streams. The
bandwidth limit ranges are determined by products.
No logical interface group is defined and an interface is not added to any logical interface group by default.
In the global configuration mode, you can run the virtual-group command to create a logical interface group. In the interface
configuration mode, you can run the virtual-group command to add an interface to a logical interface group. If this logical
interface group is not created, you can create the logical interface group and add the interface to the group. You can create
128 logical interface groups, ranging from 1 to 128.
In the interface configuration mode, you can run the service-policy command to apply a policy in the input/output directions
of the interface. In the global configuration mode, you can run the service-policy command to apply a policy in the
input/output directions of all interfaces.
Working Principle
After data streams of packets enter a device interface, the device assigns priorities to the packets based on the trust mode
configured for the interface. The following describes several trust modes:
When the interface trust mode is untrust, which means not trusting the priority information carried in packets:
Modify the CoS value according to the default CoS value (0, which is configurable), COS-DSCP mapping table and
DSCP-COS mapping table of the interface and put the packets into queues based on the final CoS value. For output
packets carrying the 802.1Q tag, the packet priority will be modified to the corresponding CoS value.
For packets carrying the 802.1Q tag, modify the CoS value according to the PRI value, CoS-DSCP mapping table, and
DSCP-CO mapping table, and put the packets into queues based on the final CoS value. For output packets carrying
the 802.1Q tag, the packet priority will be modified to the corresponding CoS value.
For packets not carrying the 802.1Q tag, modify the CoS value according to the default CoS value (0, which is
configurable), COS-DSCP mapping table and DSCP-COS mapping table of the interface, and put the packets into
queues based on the final CoS value. For output packets carrying the 802.1Q tag, the packet priority will be modified to
the corresponding CoS value.
For non-IP packets, the processing is the same as that for trusting CoS.
Configuration Guide Configuring QoS
For IP packets, modify the CoS value according to the DSCP value of the packets and the DSCP-CoS mapping table
and put the packets into queues based on the final CoS value.
For non-IPv4 packets, the processing is the same as that for trusting CoS.
For IPv4 packets, obtain and modify the DSCP priority of the packets according to the IP PRE value of the packets and
the IP-PRE-DSCP mapping table, obtain the CoS value according to the DSCP-CoS mapping table, and then put the
packets into queues based on the final CoS value.
When the trust mode and the applied policy of an interface work together:
When the trust mode and the applied policy of an interface work together, the trust mode has a lower priority than the
policy and the CoS priority can be obtained according to the DSCP-CoS mapping table.
If a policy is applied to the interface but the policy does not has a configuration for modifying the DSCP and CoS values,
the processing will be performed based on the trust mode of the interface.
Related Configuration
In the interface configuration mode, run the mls qos trust command to modify the trust mode. The trust mode can be trusting
CoS, trusting DSCP or trusting IP PRE.
In the interface configuration mode, run the mls qos cos command to modify the default CoS value of the interface, which
ranges from 0 to 7.
In the policy-class configuration mode, run the set command to modify the CoS, DSCP and VID values of streams. The CoS
value ranges from 0 to 7; the DSCP value ranges from 0 to 63; the VID value ranges from 1 to 4094.
By default, the CoS values 0, 1, 2, 3, 4, 5, 6 and 7 are mapped to the DSCP values 0, 8, 16, 24, 32, 40, 48 and 56
respectively.
Run the mls qos map cos-dscp command to configure the COS-DSCP mapping. The DSCP value ranges from 0 to 63.
By default, DSCP 0 to 7 are mapped to CoS 0, DSCP 8 to 15 mapped to CoS 1, DSCP 16 to 23 mapped to CoS2, DSCP 24
to 31 mapped to CoS 3, DSCP 32 to 39 mapped to CoS 4, DSCP 40 to 47 mapped to CoS 5, DSCP 48 to 55 mapped to CoS
6, and DSCP 56 to 63 mapped to CoS 7.
Configuration Guide Configuring QoS
Run the mls qos map dscp-cos command to configure the DSCP-CoS mapping. The CoS value ranges from 0 to 7 and the
DSCP value ranges from 0 to 63.
By default, the IP PRE values 0, 1, 2, 3, 4, 5, 6 and 7 are mapped to the DSCP values 0, 8, 16, 24, 32, 40, 48 and 56
respectively.
Run the mls qos map ip-prec-dscp command to configure the IP PRE-DSCP mapping. The DSCP value ranges from 0 to
63.
Working Principle
Traffic supervision is used to monitor the specification of traffic flowing into a network and conduct preset supervision actions
based on different assessment results. These actions can be:
Changing the priority and forwarding: modify the priorities of packets out of the traffic limit and then forward the packets.
Related Configuration
In the policy-class configuration mode, run the police command to configure the action to be conducted for traffic out of limit
to discarding traffic out of limit, or modifying the CoS value or DSCP value. The traffic limit range is determined by products.
When the traffic is out of the limit, you can modify the CoS value in the range of 0 to 7 and the DSCP value in the range of 0
to 63.
In the interface configuration mode, run the rate-limit command to configure the total traffic limit for an interface in the input
and output directions. The traffic limit range is determined by products.
determines the sequence of data packets to be sent from an interface based on the priorities of the data packets. The
congestion management function allows for congestion control by increasing the priorities of important data packets. When
congestion occurs, the important data packets are sent in higher priorities to ensure that key services are implemented in
time.
Working Principle
A queue scheduling mechanism is used for congestion management and the process is as follows:
After each packet passes all QoS processing in a switch, the packet will obtain a CoS value finally.
At the output interface, the device classifies the packets into corresponding sending queues based on the CoS values.
The output interface selects packets in a queue for sending based on various scheduling policies (SP, WRR, DRR,
WFQ, SP+WRR, SP+DRR and SP+WFQ).
Scheduling policy
The queue scheduling policies include SP, WRR, DRR, WFQ, SP+WRR, SP+DRR, and SP+WFQ.
Strict-Priority (SP) scheduling means scheduling packets strictly following queue IDs. Before sending packets each time,
check whether a queue with the first priority has packets to be sent. If yes, the packets in this queue are sent first. If not,
check whether a queue with the second priority has packets. Follow the same rules for packets in other queues.
Weighted Round Robin (WRR) scheduling means scheduling queues in turn to ensure that all queues have certain
service time. For example, a 1000 Mbps interface has 8 output queues. The WRR configures a weighted value (5, 5, 10,
20, 20, 10, 20 and 10, which indicate the proportions of obtained resources) for each queue. This scheduling method
ensures that a queue with the lowest priority is assigned with at least 50 Mbps bandwidth, which avoids that packets in
the queue with the lowest priority are not served for long time when the SP scheduling method is used.
Deficit Round Robin (DRR) scheduling is similar to the WRR, but applies weight values based on bytes, but not based
on time slices.
Weighted Fair Queueing (WFQ) scheduling provides dynamic and fair queuing and applies weighted values based on
bytes, similar to the DRR. When encountering an empty queue, the DRR will shift to the next queue for transmission
immediately. If a queue misses its transmission time, the queue must wait for the next time, which is the difference
between the WFQ and DRR; therefore, the WFQ is more suitable for processing data packets with variable lengths than
the DRR.
SP+WRR scheduling means configuring the SP scheduling for one or more sending queues and configuring the WRR
scheduling for the other queues. Among SP queues, only after all packets in the SP queue with the first priority are sent,
the packets in the SP queue with the second priority can be sent. Among SP and WRR queues, only after the packets in
all SP queues are sent, the packets in WRR queues can be sent.
SP+DRR scheduling means configuring the SP scheduling for one or more sending queues and configuring the DRR
scheduling for the other queues. Among SP queues, only after all packets in the SP queue with the first priority are sent,
the packets in the SP queue with the second priority can be sent. Among SP and DRR queues, only after the packets in
all SP queues are sent, the packets in DRR queues are sent.
Configuration Guide Configuring QoS
SP+WFQ scheduling means configuring the SP scheduling for one or more sending queues and configuring the WFQ
scheduling for the other queues. Among SP queues, only after all packets in the SP queue with the first priority are sent,
the packets in the SP queue with the second priority can be sent. Among SP and WFQ queues, only after the packets in
all SP queues are sent, the packets in WFQ queues can be sent.
On some products, interface queues are classified into unicast queues and multicast queues. There are 8 unicast queues. All
known unicast packets enter corresponding unicast queues for forwarding based on their priorities. There are 1 to 8 multicast
queues (depending on products. Certain products do not support multicast queues). Except for known unicast packets, all
packets (such as broadcast packets, multicast packets, unknown unicast packets, and mirroring packets) enter
corresponding multicast queues for forwarding based on their priorities. Similar to unicast queues, you can configure priority
mappings and scheduling algorithms for multicast queues. The Cos-to-Mc-Queue command can be used to configure
mapping from priorities to multicast queues. At present, multicast queues support the SP, WRR and SP+WRR scheduling
algorithms.
Scheduling policy and round robin weight for output queues on an interface
The scheduling policies and round robin weight for output queues are based on global configurations. Some products
support both global configurations and interface-based configurations. Interface-based configurations have higher priorities
than global configurations. The global scheduling policy works with the corresponding global round robin weight whereas the
interface scheduling policy works with the interface round robin weight. If only the global scheduling policy or interface
scheduling policy is configured but no corresponding round robin weights are configured, the default round robin weights will
work with the scheduling policy.
Queue bandwidth
Some products allow for configuring the guaranteed minimum bandwidth and the limited maximum bandwidth for a queue. A
queue configured with the guaranteed minimum bandwidth ensures that the bandwidth for this queue is not smaller than the
configured value. A queue configured with the limited maximum bandwidth ensures that the bandwidth for this queue is not
greater than the configured value and packets out of the bandwidth limit will be discarded. The bandwidth limits for unicast
and multicast queues are configured together on some products whereas configured separately on some other products. In
addition, some products allow for configuring bandwidth only for unicast queues.
Related Configuration
By default, the CoS values 0, 1, 2, 3, 4, 5, 6 and 7 are mapped to the queues 1, 2, 3, 4, 5, 6, 7 and 8 respectively.
Run the priority-queue cos-map command to configure the CoS-to-queue mapping. The CoS value ranges from 0 to 7 and
the queue value ranges from 1 to 8.
By default, the scheduling policy for a global output queue is WRR and no scheduling policy is configured for an interface.
Configuration Guide Configuring QoS
Run the mls qos scheduler command to configure the output scheduling policy for a queue. Configurable scheduling
policies include SP, WRR, DRR and WFQ. You can also run the priority-queue command to configure the scheduling policy
as SP.
Configuring the round robin weight corresponding to the WRR scheduling policy for an output queue
Run the wrr-queue bandwidth command to configure the round robin weight corresponding to the WRR scheduling policy
for an output queue. The configurable weight range is determined by products.
Configuring the round robin weight corresponding to the DRR scheduling policy for an output queue
Run the drr-queue bandwidth command to configure the round robin weight corresponding to the DRR scheduling policy for
an output queue. The configurable weight range is determined by products.
Configuring the round robin weight corresponding to the WFQ scheduling policy for an output queue
Run the wfq-queue bandwidth command to configure the round robin weight corresponding to the WFQ scheduling policy
for an output queue. The configurable weight range is determined by products.
Run the qos queue command to configure the guaranteed minimum bandwidth and the limited maximum bandwidth for each
queue. The queue value ranges from 1 to 8 and the guaranteed minimum bandwidth and limited maximum bandwidth value
ranges are determined by products. Supported queue types (unicast, multicast, or both unicast and multicast) are
determined by products.
2.4 Configuration
Classification
match access-group Matches ACL rules.
(Optional) It is used to configure the trust mode, default CoS value and various
mappings for an interface.
Configuring Interface Rate (Optional) It is used to configure the rate limit for an interface.
Limit
rate-limit Configures the traffic limit for an interface.
Create a policy, bind a class and stream behaviors, and associate with an interface.
Notes
The class and policy names cannot comprise more than 31 characters.
Interface configurations allow for only AP and Ethernet interface configurations. Certain products support policies
applied to SVI interfaces through the service-policy command. When both physical interfaces and SVI interfaces are
configured with policies, the priority of the physical interfaces is higher than that of the SVI interfaces.
If run the service-policy command in global configuration mode, policies will be applied to all interfaces which can be
configured with policies.
Configuration Steps
Optional.
Create a class. In the class configuration mode, match ACL, IP PRE or DSCP.
Configuration Guide Configuring QoS
Creating a policy
Optional.
Create a policy. In the policy configuration mode, bind the class and stream behaviors.
Creating a logical interface group and adding interfaces to the logical interface group
Optional.
Create a logical interface group and add interfaces to the logical interface group.
Optional.
Verification
Run the show class-map command to check whether the class is successfully created and whether rules are
successfully matched.
Run the show policy-map command to check whether the policy is successfully created and whether the class and
stream behaviors are successfully bound.
Run the show mls qos interface command to check whether the interface is associated with the policy.
Run the show virtual-group command to check the interfaces in the logical interface group.
Run the show mls qos virtual-group command to check whether the logical interface group is associated with the
policy.
Related Commands
Creating a class
Parameter class-map-name: Indicates the name of a class to be created. The name cannot comprise more than 31
Description characters.
Usage Guide -
Matching an ACL
Description
Usage Guide -
Usage Guide -
Parameter dscp -value: Indicates the DSCP to be matched, ranging from 0 to 63.
Description
Usage Guide -
Creating a policy
Parameter policy-map-name: Indicates the name of a policy to be created. The name cannot comprise more than 31
Description characters.
Usage Guide -
Associating a class
Usage Guide -
Binding the behaviors for modifying the CoS, DSCP and VID values of streams
Parameter ip dscp new-dscp: Changes the DSCP value of streams to new-dscp, ranging from 0 to 63.
Description
cos new-cos: Changes the CoS value of streams to new-cos, ranging from 0 to 7.
none-tos: Does not change the DSCP value of packets when changing the CoS value of the packets.
vid new-vid: Changes the VLAN ID of streams to new-vid, ranging from 1 to 4094.
Usage Guide -
Binding the bandwidth limit for streams and the action for processing packets out of the limit
Command police rate-bps burst-byte [ exceed-action { drop | dscp new-dscp | cos new-cos [ none-tos ] } ]
Parameter rate-bps: Indicates the bandwidth limit per second (KBits). The value range is determined by products.
Description burst-byte: Indicates the burst traffic limit (Kbytes). The value range is determined by products.
dscp new-dscp: Changes the DSCP value of packets out of the bandwidth limit to new-dscp, ranging from 0
to 63.
cos new-cos: Changes the CoS value of packets out of the bandwidth limit to new-cos, ranging from 0 to 7.
none-tos: Does not change the DSCP value of packets when changing the CoS value of the packets.
Usage Guide -
Creating a logical interface group and adding interfaces to the logical interface group
Parameter virtual-group-number: Indicates the logical interface group number, ranging from 1 to 128.
Description
Command Create the logical interface group in the global configuration mode, add the interface to the logical interface
Mode group in the interface configuration mode. If no logical interface group exists, you need to create a logical
interface group first and then add interfaces to the logical interface group.
Usage Guide -
Usage Guide -
Configuration Example
Creating four stream classes and matching ACL, IP PRE and DSCP
Ruijie(config-cmap)# exit
Ruijie(config-cmap)# exit
Ruijie(config-cmap)# exit
Verification Check whether the created ACL rules and stream class rules are successful.
ip access-list standard 11
Match access-group 11
Match ip dscp 21
Match ip precedence 5
Creating a policy, binding a class and stream behaviors, and associating with an interface
Configuration Create the stream class cmap1, and match packets whose DSCP value is 18. Create cmap2 and
Steps match packets whose IP PRE is 7.
Create the policy pmap1, associate the policy with cmap1, and bind the behavior of changing the CoS
value of the stream to 6. Associate the policy with cmap2, bind the behavior of changing the DSCP
value of the stream to 16, limiting the traffic per second within 10,000 Kbits and trigger traffic within
1024 Kbits per second, and changing the DSCP value for traffic out of limit to 7.
Apply the policy pmap1 to the output direction of the interface gigabitEthernet 0/0.
Create virtual logical group 1, add the interfaces gigabitEthernet 0/1 and gigabitEthernet 0/2 to the
group, and apply the policy pmap1 to the input interface of the virtual logical group.
Ruijie(config-cmap)# exit
Ruijie(config-cmap)# exit
Configuration Guide Configuring QoS
Ruijie(config-pmap-c)# exit
Ruijie(config-pmap-c)# exit
Ruijie(config-pmap)# exit
Ruijie(config)# virtual-group 1
Ruijie(config-VirtualGroup)# exit
Verification Check whether the stream class rules are successfully created.
Check whether the policy is successfully created, and whether the stream and stream behaviors are
successfully bound.
Check whether the logical interface group is successfully created, whether interfaces are successfully
associated and whether the policy is successfully applied to the interface.
Match ip dscp 18
Match ip precedence 7
Class cmap1
set cos 6
Class cmap2
set ip dscp 15
Ratelimit input:
Ratelimit output:
Default cos: 0
virtual-group member
------------- -------------------------
1 Gi0/1 Gi0/2
Virtual-group: 1
Notes
Configuration Steps
Optional.
In the interface configuration mode, configure the trust mode and default CoS value of an interface.
Optional.
Verification
Run the show mls qos interface command to display the trust mode and default CoS value of the interface.
Run the show mls qos maps command to display the CoS-to-DSCP, DSCP-to-CoS and IP-PRE-to-DSCP mappings.
Related Commands
Usage Guide -
Parameter default-cos: Configures the default CoS value, ranging from 0 to 7. The default value is 0.
Description
Usage Guide -
Configuration Guide Configuring QoS
Parameter dscp1….dscp8: Indicates the DSCP values mapped to the CoS values. The default CoS values 0~7 are
Description mapped to DSCP 0, 8, 16, 24, 32, 40, 48 and 56 respectively. The DSCP value ranges from 0 to 63.
Usage Guide -
Parameter dscp-list: Indicates the DSCP list mapped to the CoS values. The default DSCP 0~7 are mapped to CoS 0,
Description DSCP 8~15 mapped to CoS 1, DSCP 16~23 mapped to CoS 2, DSCP 24~31 mapped to CoS 3, DSCP
32~39 mapped to CoS 4, DSCP 40~47 mapped to CoS 5, DSCP 48~55 mapped to CoS 6, and DSCP
56~63 mapped to CoS 7. The DSCP value ranges from 0 to 63.
cos: Indicates the CoS values mapped to the dscp-list, ranging from 0 to 7.
Usage Guide -
Parameter dscp1….dscp8: Indicates the DSCP values mapped to the IP PRE values. The default IP PRE 0~7 are
Description mapped to DSCP 0, 8, 16, 24, 32, 40, 48 and 56 respectively. The DSCP value ranges from 0 to 63.
Usage Guide -
Configuration Example
Configuration Modify the trust mode of the interface gigabitEthernet 0/0 to DSCP.
Steps
Change the default CoS value of the interface gigabitEthernet 0/1 to 7.
Configuration Guide Configuring QoS
Verification Check whether the trust mode and default CoS value are successfully configured for the interface.
Ratelimit input:
Ratelimit output:
Default cos: 0
Ratelimit input:
Ratelimit output:
Default cos: 7
Configuration Configure CoS-to-DSCP to map CoS 0, 1, 2, 3, 4, 5, 6, and 7 to DSCP 7, 14, 21, 28, 35, 42, 49, and 56
Steps respectively.
Configure DSCP-to-CoS to map DSCP 0, 1, 2, 3, and 4 to CoS 4 and DSCP 11, 12, 13 and 14 to CoS
Configuration Guide Configuring QoS
7.
Configure IP-PRE-to-DSCP to map IP PRE 0, 1, 2, 3, 4, 5, 6, and 7 to DSCP 31, 26, 21, 15, 19, 45, 47,
and 61 respectively.
cos dscp
--- ----
0 7
1 14
2 21
3 28
4 35
5 42
6 49
7 56
0 4 1 4 2 4 3 4
4 4 5 0 6 0 7 0
8 1 9 1 10 1 11 7
12 7 13 7 14 7 15 1
16 2 17 2 18 2 19 2
Configuration Guide Configuring QoS
20 2 21 2 22 2 23 2
24 3 25 3 26 3 27 3
28 3 29 3 30 3 31 3
32 4 33 4 34 4 35 4
36 4 37 4 38 4 39 4
40 5 41 5 42 5 43 5
44 5 45 5 46 5 47 5
48 6 49 6 50 6 51 6
52 6 53 6 54 6 55 6
56 7 57 7 58 7 59 7
60 7 61 7 62 7 63 7
ip-precedence dscp
------------- ----
0 31
1 26
2 21
3 15
4 19
5 45
6 47
7 61
Notes
Configuration Steps
Optional.
Configuration Guide Configuring QoS
Configure the limit on the traffic and burst traffic for an interface.
Verification
Run the show mls qos rate-limit command to display the rate limit information about the interface.
Related Commands
bps: Indicates the bandwidth limit per second (Kbits). The value range is determined by products.
burst-size: Indicates the burst traffic limit (Kbytes). The value range is determined by products.
Usage Guide -
Configuration Example
Configuration For Internet access by using the output interface, configure the output traffic limit on the interface
Steps G0/24, and set the bandwidth limit to 102,400 Kbits per second and burst traffic limit to 256 Kbytes per
second.
For the dormitory building, configure the input traffic limit on the interface G0/3, and set the bandwidth
limit to 51,200 Kbits per second and burst traffic limit to 256 Kbytes per second.
For the teaching building, configure the input traffic limit on the interface G0/1, and set the bandwidth
limit to 30,720 Kbits per second and burst traffic limit to 256 Kbytes per second.
For the laboratory, create the class cmap_dscp7 to match DSCP priority 7, create the policy
pmap_shiyan to associate with cmap_dscp7, bind the stream behavior of changing the DSCP value for
packets whose rates exceed 20M to 16, apply pmap_shiyan to the interface G0/2, and configure the
interface to trusting DSCP.
Ruijie(config-cmap)# exit
Ruijie(config-pmap-c)# exit
Ruijie(config-pmap)# exit
Check whether the class and policy are successfully created and successfully applied to the interface.
Match ip dscp 7
Class cmap_dscp7
Ratelimit input:
Ratelimit output:
Default cos: 0
Configure the scheduling policy and round robin weight for an output queue.
Configure the guaranteed minimum bandwidth and limited maximum bandwidth for a queue.
Notes
Configuration Steps
Optional.
Configure the CoS-to-queue mappings. On products supporting multicast queues, you can configure the
CoS-to-multicast queue mapping.
Configuring the scheduling policies and round robin weight for unicast and multicast output queues
Optional.
Configuration Guide Configuring QoS
Configure the scheduling policy for an output queue and modify the round robin weight. On products supporting
multicast queues, you can configure the scheduling policies and round robin weights for multicast queues.
Configuring the guaranteed minimum bandwidth and limited maximum bandwidth for a queue
Optional.
Configure the guaranteed minimum bandwidth and limited maximum bandwidth for a queue.
Verification
Run the show mls qos queueing command to display the output queue information.
Run the show mls qos scheduler command to display the scheduling policy for the output queue.
Run the show qos bandwidth command to display the queue bandwidth.
Related Commands
Command priority-queue cos-map qid cos0 [ cos1 [ cos2 [ cos3 [ cos4 [ cos5 [ cos6 [ cos7 ] ] ] ] ] ] ]
Usage Guide -
Command priority-queue
Parameter -
Description
Usage Guide -
Parameter sp: Sets the scheduling algorithm for an output queue to SP.
Configuration Guide Configuring QoS
Description wrr: Sets the scheduling algorithm for an output queue to WRR.
Usage Guide -
Configuring the scheduling policy and round robin weight for an output queue
Parameter drr-queue: Configures the round robin weight corresponding to the DRR scheduling policy for an output
Description queue.
wrr-queue: Configures the round robin weight corresponding to the WRR scheduling policy for an output
queue.
wfq-queue: Configures the round robin weight corresponding to the WFQ scheduling policy for an output
queue.
weight1...weight8: Indicates the weight of queues 1 to 8. The value range is determined by products. The
value 0 indicates that the queue uses the SP scheduling algorithm. The default weight for global/interface
queues is 1:1.
Usage Guide -
Configuring the guaranteed minimum bandwidth and limited maximum bandwidth for a queue
Command qos queue [ ucast | mcast ] queue-id bandwidth { minimum | maximum } bandwidth
Parameter queue [ ucast | mcast ]: queue ucast configures the guaranteed minimum bandwidth or limited maximum
Description bandwidth for devices that allow for configuring the unicast queue bandwidth limit; queue mcast configures
the guaranteed minimum bandwidth or limited maximum bandwidth for devices that allow for configuring the
multicast queue bandwidth limit; queue configures the guaranteed minimum bandwidth or limited maximum
bandwidth for devices that allow for configuring both the unicast and multicast queue bandwidth limits.
minimum bandwidth: Indicates the guaranteed minimum bandwidth Kbps. The value range is determined
by products. It is not configured by default.
maximum bandwidth: Indicates the limited maximum bandwidth Kbps. The value range is determined by
Configuration Guide Configuring QoS
Usage Guide -
Configuration Example
Configuring the CoS-to-queue mapping and modifying the scheduling policy and its round robin weight
Configuration Configure the CoS-to-queue mapping to the mapping from the CoS values 0, 1, 2, 3, 4, 5, 6, and 7 to
Steps queues 1, 2, 5, 5, 5, 5, 7, and 8.
Configure the output scheduling policy for a queue to DRR and the round robin weight to
2:1:1:1:6:6:6:8.
Verification Check whether the CoS-to-queue mapping is successfully created, and whether the output scheduling
policy and round robin weight are successfully configured for the queue.
CoS-to-queue map:
cos qid
--- ---
0 1
1 2
2 5
3 5
4 5
Configuration Guide Configuring QoS
5 5
6 7
7 8
qid weights
--- -------
1 1
2 1
3 1
4 1
5 1
6 1
7 1
8 1
qid weights
--- -------
1 2
2 1
3 1
4 1
5 6
6 6
7 6
8 8
qid weights
--- -------
1 1
Configuration Guide Configuring QoS
2 1
3 1
4 1
5 1
6 1
7 1
8 1
Taking products that support separate configuration of unicast and multicast queues for example and
configuring the guaranteed minimum bandwidth and limited maximum bandwidth for a queue
Configuration Configure the limited maximum bandwidth to 10M and guaranteed minimum bandwidth to 5M for
Steps unicast queue 1 on the interface gigabitEthernet 0/1. Configure the guaranteed minimum bandwidth to
2M for unicast queue 2. Configure the limited maximum bandwidth to 5M and guaranteed minimum
bandwidth to 1M for multicast queue 1.
Verification Check whether the guaranteed minimum bandwidth and limited maximum bandwidth are successfully
configured for the interface.
---------------------------------------------------
1 5120 10240
2 0 0
3 0 0
4 0 0
5 0 0
6 0 0
7 0 0
8 0 0
---------------------------------------------------
---------------------------------------------------
1 1024 5120
2 0 0
3 0 0
4 0 2048
---------------------------------------------------
Configuration Create ACLs for accessing various servers and create classes for matching these ACLs.
Steps
Create policies for associating with the classes and specify new CoS values for packets accessing
various servers. Associate the CoS values with the input interfaces for the R&D and market
departments and configure the interfaces to trusting CoS.
Configure the default CoS value for the HR management department interface to the highest priority 7
to ensure that packets from the HR management department are sent in the highest priority.
Configure the output scheduling policy to WR and the round robin weight to 1:1:1:2:6:1:1:0 for the
Configuration Guide Configuring QoS
queues. This means that the SP scheduling algorithm is used for packets of the HR management
department, and the packets of the R&D and market departments for accessing the mail database, file
database and salary query database are scheduled based on the ratio of 6:2:1.
Ruijie(config-ext-nacl)# exit
Ruijie(config-ext-nacl)# exit
Ruijie(config-ext-nacl)# exit
Ruijie(config-cmap)# exit
Ruijie(config-cmap)# exit
Ruijie(config-pmap-c)# exit
Ruijie(config-pmap-c)# exit
Ruijie(config-pmap-c)# end
Configuration Guide Configuring QoS
Ruijie(config)#wrr-queue bandwidth 1 1 1 2 6 1 1 0
Verification Check whether the ACLs are successfully created and whether the classes are successfully
associated with the ACLs.
Check whether the policies are successfully created, whether the classes and stream behaviors are
successfully bound, and whether policies are successfully applied to the interfaces.
Check whether the default CoS value is successfully configured for the interface and whether the
scheduling policy and the round robin weight are successfully configured.
Class mail
set cos 4
Class file
set cos 3
Class salary
set cos 2
Ratelimit input:
Ratelimit output:
Default cos: 0
Ratelimit input:
Ratelimit output:
Default cos: 0
Ratelimit input:
Ratelimit output:
Default cos: 7
CoS-to-queue map:
cos qid
--- ---
0 1
1 2
2 3
3 4
4 5
5 6
6 7
7 8
qid weights
--- -------
1 1
2 1
3 1
Configuration Guide Configuring QoS
4 2
5 6
6 1
7 1
8 0
qid weights
--- -------
1 1
2 1
3 1
4 1
5 1
6 1
7 1
8 1
qid weights
--- -------
1 1
2 1
3 1
4 1
5 1
6 1
7 1
8 1
Configuration Guide Configuring QoS
2.5 Monitoring
Displaying
Description Command
Displays the policy applied to a show mls qos virtual-group [ virtual-group-number | policers ]
logical interface group.
Displays various mappings. show mls qos maps [ cos-dscp | dscp-cos | ip-prec-dscp ]
Displays interface rate limit show mls qos rate-limit [ interface interface-id ]
information.
Displays the QoS queue, scheduling show mls qos queueing [ interface interface-id ]
policy and round robin weight
information.
Displays the scheduling information show mls qos scheduler [ interface interface-id ]
of an output queue.
Displays the QoS information of an show mls qos interface interface-id [ policers ]
interface.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
1. Configuring REUP
2. Configuring RLDP
3. Configuring DLDP
5. Configuring VSU
6. Configuring VRRP
1 Configuring REUP
1.1 Overview
The Rapid Ethernet Uplink Protection Protocol (REUP) provides a rapid uplink protection function.
In the dual uplink networking, REUP is used to ensure normal communication between links, block redundant links, avoid link
loops, and implement fast backup.
The upstream interfaces of REUP are configured in pairs. If both interfaces are normal, an interface works in the backup
state. The interface in the backup state does not forward data packets. When the interface in the forward state is faulty, the
backup interface switches to the forward state immediately, and provides data transmission. In addition, REUP also sends
address update packets to upstream devices so that the upstream devices can update their MAC addresses immediately.
This function of REUP ensures that layer-2 data streams can be restored within 50 ms after a link is faulty.
REUP is mutually exclusive with the Spanning Tree Protocol (STP) based on interfaces. In this case, a device runs STP
downward and runs REUP upward to implement backup and fault protection for the upstream link. REUP ensures that basic
link redundancy is provided when STP is disabled and that millisecond-level fault recovery faster than STP is also provided.
REUP is a proprietary protocol of Ruijie Network, and there is no standard and protocol for reference.
1.2 Applications
Application Description
Communication in Dual Uplink Forward packets in the dual-uplink networking.
Networking
For communication in dual uplink networking, the access switch has two uplink paths, as shown in Figure 1-1.
Configuration Guide Configuring REUP
Deployment
Enable REUP on interface1 and interface2 of the access switch D/E to implement fast switching when a link is faulty.
Enable MAC address update message receiving of REUP on the interfaces connected to switches A/B/C to rapidly
clear the MAC addresses on the interfaces when a link is faulty.
1.3 Features
Basic Concepts
REUP Pair
Specify an interface as the backup interface of another interface to configure an REUP pair. One interface is the active
interface and the other interface is the backup interface. When the two interfaces are normal, an interface is configured as
the forward interface whereas the other interface is configured as the backup interface. You can determine the interface to be
configured as the backup interface. See the related information in the section "Configuring the Preemption Mode and Delay
Time of REUP".
MAC address update messages refer to FLUSH packets sent by Ruijie Network to uplink devices through private multicast.
When an uplink device of Ruijie Network enables the function for receiving MAC address update messages and receives
MAC address update messages, the device updates the MAC addresses of corresponding interfaces.
Multiple interfaces are added to a group. If one interface in the group receives a MAC address update message, the MAC
addresses of other interfaces in the group will be updated. In this case, the group is called MAC address update group.
Packets sent to update MAC addresses in order to support uplink devices are called MAC address update packets.
The uplink and downstream interfaces of a device are added to a group. If all upstream interfaces in the group are down, all
downstream interfaces in this group are forced down. In this case, this group is called a link tracing group.
Overview
Feature Description
Dual Link Backup of REUP When a link is faulty, the other link can rapidly switch to the forward state.
Preemption Mode and Delay When both links are normal, the preemption mode can be used to determine the link that is
Time of REUP used for forwarding data and the delay time that is used to determine the waiting time before
switching.
MAC Address Update During link switching, the MAC address of an interface is updated to make packet
convergence faster.
VLAN Load Balance When the two links are normal, the utilization of link bandwidth can be maximized.
Link State Tracking When the upstream link is faulty, the downstream link is switched.
Working Principle
Specify an interface as the backup interface of another interface to configure an REUP pair. When the two interfaces are
normal, a link is in the forward state (forwarding data packets) and the other link is in the backup state (not forwarding data).
When the active link is faulty, the link in the backup state rapidly switches to the forward state and starts forwarding data.
When the faulty link is recovered, the link enters the backup state and does not forward data packets. Of course, you can
configure the preemption mode to specify whether a link recovered from failure preempts the link that is in the forward state
currently.
Configuration Guide Configuring REUP
As shown in Figure 1-2, connect interfaces 1 and 2 of switch D (E) to the uplink switches B and C (C and B) and configure
REUP on interfaces 1 and 2. When the links are normal, interface 1 is in the forward state and forwards data packets and
interface 2 is in the backup state and does not forward data packets.
Configuration Guide Configuring REUP
Once interface 1 is faulty, interface 2 immediately starts forwarding data packets and recovers the uplink transmission of the
switch. In the non-preemption mode, when the link of interface 1 is recovered, interface 1 is in the backup state and does not
forward data packets whereas interface 2 continues forwarding data packets.
Related Configuration
You can run the switchport backup interface command to configure a layer-2 physical interface (or layer-2 AP interface) as
a backup interface and enable the dual link backup function of REUP.
You must enable the dual link backup function of REUP on an interface. The function involves the link switching of REUP
only when an interface is faulty.
Devices enabled with REUP must disable the storm control function of all layer-2 interfaces.
Configuration Guide Configuring REUP
You can determine which link should be used first by configuring the preemption mode of REUP. If the preemption mode is
set to bandwidth first, REUP selects a link with a high bandwidth first. You can also set the preemption mode to forced to
select a stable and reliable link first forcibly.
To avoid frequent active/backup link switching caused by abnormal faults, REUP provides a preemption delay function.
When the two links are recovered, link switching is performed when the faulty link becomes stable after a delay (35s by
default).
Related Configuration
By default, the preemption mode is disabled and the delay time is 35s.
You can run the switchport backup interface preemption mode command to configure the preemption mode.
You can run the switchport backup interface preemption delay command to configure the delay time.
A smaller delay means more frequent preemption switching after the faulty link is recovered.
REUP uses the value of the Bandwidth attribute for an AP interface as the actual bandwidth of the AP interface, which
is equal to the value of the Speed attribute (the number of link up member interfaces x the number of member
interfaces).
When an uplink enables STP, the preemption delay time of REUP is greater than 35s.
Working Principle
As shown in Figure 1-2, interface 1 and interface 2 of switch D (E) are enabled with dual link backup of REUP. Interface 1
works as the active interface. During normal communication, switch A learns the MAC addresses of users 1 and 2 (users 3
and 4) from the interfaces connecting to switch B (C).
When interface 1 of switch D (E) is faulty, interface 2 rapidly switches to the forward state and starts forwarding data packets.
In this case, switch A does not learn the MAC addresses of users 1 and 2 (users 3 and 4) on the interfaces connecting to
switch B (C). The data packets sent by the server to users 1 and 2 (users 3 and 4) are forwarded to switch C (B) by switch A,
causing that the packets from the server to users 1 and 2 (users 3 and 4) are lost.
To avoid the preceding problems, you can enable the MAC address update function on switch D (E). When interface 2 starts
forwarding packets, switch D (E) sends a MAC address update message to interface 2. After receiving the MAC address
update message, switch A updates the MAC address on the interface of switch A. In this way, switch A forwards the packets
sent by the server to the users to the interfaces of switch B (C) to make packet convergence faster.
Configuration Guide Configuring REUP
In addition, import the setting of a MAC address update group, that is, classify multiple interfaces into the same group. When
an interface in this group receives a MAC address update message, the MAC addresses on other interfaces in the group are
updated to reduce the side effect of flooding caused by MAC address update.
To be compatible with upstream devices not supporting MAC address update messages, switch D (E) will send MAC
address update packets for users 1 and 2 (users 3 and 4) upward when interface 2 switches to the forward state. In this way,
switch A can update the MAC addresses of users 1 and 2 (users 3 and 4) to the corresponding interfaces and recover the
downlink data transmission of switch A.
Related Configuration
You can run the mac-address-table move update transit command to enable sending of MAC address updates on all
interfaces of a device.
If sending of MAC address update messages is not enabled, MAC address update messages will not be sent when dual link
backup switching of REUP is performed.
You can run the mac-address-table move update receive command to enable receiving of MAC address updates on all
interfaces of a device.
If receiving of MAC address update messages is not enabled, a device cannot receive MAC address update messages from
downlink devices during dual link backup switching of REUP and will not update the MAC addresses.
By default, a VLAN for sending MAC address update messages is the default VLAN to which an interface belongs.
You can run the mac-address-table move update transit vlan command to configure the VLAN in which interfaces send
MAC address update messages.
If the VLAN in which interfaces send MAC address update messages is configured, the messages are sent in the configured
VLAN; otherwise, the messages are sent in the default VLAN to which the interface belongs.
You can run the no mac-address-table move update receive vlan command to configure a VLAN in which interfaces do
not receive MAC address update messages. MAC address update messages are received in remaining VLANs.
If no VLAN in which interfaces receive MAC address update messages is configured, MAC address update messages are
received in all the configured VLANs; otherwise, MAC address update messages are received in the remaining VLANs.
You can run the mac-address-table update group command to add an interface to the MAC address update group. The
interface is added to the first update group by default.
If no MAC address update group is configured, MAC address update will not be performed when MAC address update
packets are received.
Configuring the Maximum Number of MAC Address Update Packets Sent Per Second
By default, the maximum number of MAC address update packets sent per second is 150.
You can run the mac-address-table move updatemax-update-rate command to configure the maximum number of MAC
address update packets sent per second.
The larger the number of packets, the more CPU time used for sending the packets, and the fewer downlink packets are lost.
The VLAN load balance function allows REUP to forward data packets of mutually exclusive VLANs for two interfaces to
make full use of the link bandwidth.
As shown in Figure 1-4, configure dual link backup of REUP and enable VLAN load balance of REUP on interface 1 and
interface 2 of switch D, and map VLAN 1 to instance 1 and VLAN 2 to instance 2. Data of VLAN 1 (instance 1) is transmitted
through interface 1 and all the other data of VLAN 2 (instance 2) is transmitted through interface 2. Perform the same
processing on switch E.
When an interface is faulty, the other interface takes over the transmission of all VALNs. When the faulty interface is
recovered and does not become faulty within the preemption delay, the transmission of VLANs is switched back to the
recovered interface.
Configuration Guide Configuring REUP
Related Configuration
You can run the switchport backup interface prefer instance command to enable the VLAN load balance function.
If this function is not enabled, the link bandwidth cannot be fully used when packets are forwarded when the two links are
normal. You must enable the VLAN load balance function on a port so that the interface can be involved in VLAN load
balance.
The instance mapping of REUP VLAN load balance is controlled by the MSTP module in a unified manner. For details
about how to configure the instances, see the description in the Configuring MSTP.
The VLAN load balance function can be configured only on trunk, uplink or hybrid interfaces.
Working Principle
Link state tracking provides the function of notifying downlink devices for link switching when the upstream link is faulty. You
can configure the uplink and downstream interfaces of a link state tracking group and bind the link status of multiple
downstream interfaces to the interfaces of multiple upstream links to implement link status synchronization. When all
upstream links in a tracking group are faulty, the interfaces of the downstream links are shut down forcibly to ensure that the
transmission of the downstream links is switched from the active link to the backup link.
As shown in Figure 1-5, when the upstream link of switch B is faulty, link state tracking rapidly shuts down the downstream
interface of switch B so that the uplink transmission of switch D is switched to switch C.
Figure 1-5 A topology where the upstream link of the active link is faulty
Related Configuration
You can run the link state track [number] command to enable a link tracking group. The value of number ranges from 1 to 2.
The first link tracking group is enabled by default (the default value of number is 1).
If link tracking is not enabled, the status of a corresponding upstream interface cannot be detected and packet forwarding
switching cannot be implemented in time.
Configuration Guide Configuring REUP
You can run the link state track number up-delay timer command to enable a link tracking group. The value of number
ranges from 1 to 2. The first link tracking group is enabled by default (the default value of number is 1). The value of timer
ranges from 0 to 300s, which is 0s by default.
By enabling the downlink delay up function, you can avoid frequent downlink switching caused by uplink flapping in a link
tracking group. That is, when the upstream link becomes up, the downstream link becomes up after a delay.
You can run the link state group [number] {upstream | downstream} command to set upstream interfaces and downstream
interfaces of the link tracking group. The value of number ranges from 1 to 2. An interface is added to the first link tracking
group by default (the default value of number is 1).
If an interface is not added to a tracking group, the status of a corresponding upstream interface cannot be detected and
packet forwarding switching cannot be implemented in time.
1.4 Configuration
Configuring Basic Functions (Mandatory) It is used to enable dual link backup of REUP.
of REUP
switchport backup interface Enables dual link backup of REUP.
(Optional) It is used to determine the preemption mode and delay time. The default
values are used if they are not configured.
Configuring the Preemption
Mode and Delay Function of switchport backup interface preemption
Sets the preemption mode.
REUP mode
switchport backup interface preemption
Sets the delay time for preemption.
delay
Configuring MAC Address
(Optional) It is used to enable rapid update of MAC addresses.
Update
Configuration Guide Configuring REUP
When a link is faulty, the other normal link is switched to the forward state immediately for forwarding packets.
Notes
An interface belongs to only one REUP pair. Each active link has only one backup link. A backup link can be used as
the backup link of only one active link. The active and backup links must use different interfaces.
REUP supports layer-2 physical interfaces and AP interfaces, but does not support AP member interfaces.
The active and backup interfaces may be of different types and have different rates. For example, an AP interface can
be used as the active interface whereas a physical interface is configured as the backup interface.
Interfaces successfully configured with REUP cannot change interfaces to layer-3 interfaces or be added to an AP.
Configuration Steps
Mandatory.
If there is no special requirement, dual link backup of REUP should be enabled on an interface of the receiving switch.
Verification
Run the show interfaces switchport backup [detail] command to check whether dual link backup of REUP is configured.
Related Commands
Configuration Example
Scenario As shown in Figure 1-6, there are two upstream links from switch D to switch A, which are switch D > switch
Figure 1-6 B > switch A and switch D > switch C > switch A. There are two upstream links from switch E to switch A,
Dual uplink which are switch E > switch B > switch A and switch E > switch C > switch A.
networking
Configuration Guide Configuring REUP
Configuration Configure dual link backup (the interface Gi0/1 is the active interface and Gi0/2 is the backup interface)
Steps of REUP on the access switch D (E).
D
SwitchD> enable
E
SwitchE> enable
Verification Check the dual link backup information configured for switch D (E).
D
SwitchD#show interfaces switchport backup detail
--------------------------------------------------------------------------
E
SwitchE#show interfaces switchport backup detail
--------------------------------------------------------------------------
Common Errors
Restrict the preemption mode and preemption delay time for REUP link switching.
Notes
Configuration Steps
Optional.
Configuration Guide Configuring REUP
If the active link needs to always forward packets or the link bandwidth needs to be used to determine the link for
forwarding packets, the corresponding preemption mode and delay time must be configured.
Verification
Run the show interfaces switchport backup [detail] command to check whether the preemption mode and delay time are
consistent with the configurations.
Related Commands
Configuration Example
Scenario As shown in Figure 1-6, there are two upstream links from switch D to switch A, which are switch D > switch
B > switch A and switch D > switch C > switch A. There are two upstream links from switch E to switch A,
which are switch E > switch B > switch A and switch E > switch C > switch A.
Configuration Configure the preemption mode to bandwidth on the access switch D (E) and the delay time to 40s.
Steps
D
SwitchD> enable
Configuration Guide Configuring REUP
E
SwitchE> enable
Verification Check the dual link backup information configured for switch D (E).
D
SwitchD#show interfaces switchport backup detail
--------------------------------------------------------------------------
E
SwitchE#show interfaces switchport backup detail
--------------------------------------------------------------------------
Common Errors
Rapidly delete and update MAC addresses of an interface during link switching to make packet convergence faster.
Notes
Each device can be configured with a maximum of 8 address update groups. Each address update group can have a
maximum of 8 member interfaces and an interface can belong to multiple address update groups.
Configuration Steps
Mandatory.
If there is no special requirement, the MAC address update function should be configured.
Verification
Run the show mac-address-table update group [detail] command to view the update group configuration.
Related Commands
Configuring the Maximum Number of MAC Address Update Packets Sent Per Second
Configuring the VLAN Range for Processing MAC Address Update Messages
Parameter vlan-range: Indicates the VLAN range for processing MAC address update messages.
Description
Command Configuration mode
Mode
Usage Guide This command is used to disable the function for processing MAC address update messages on certain
VLANs. For a VLAN disabled with the function for processing MAC address update messages, MAC
address update packets can be used to recover the downlink transmission of uplink devices; however, the
convergence performance for link faults will be decreased.
Configuration Example
Scenario As shown in Figure 1-6, there are two upstream links from switch D to switch A, which are switch D > switch
B > switch A and switch D > switch C > switch A. There are two upstream links from switch E to switch A,
which are switch E > switch B > switch A and switch E > switch C > switch A.
Enable sending of MAC address update messages on the access switch D (E).
Configuration
Enable receiving of MAC address update packets on switch B (C).
Steps
Add all interfaces on the REUP switching path to the same MAC address update group.
In the environment, Gi0/1 and Gi0/3 of switch B are the interfaces on the switching path of switch D's
uplink, and Gi0/3 and Gi0/2 are the interfaces on the switching path of switch E's uplink. You can add
interfaces Gi0/1, Gi0/2 and Gi0/3 to the same address update group. Similarly, you can obtain the
configuration of switch C.
Enable receiving of MAC address update packets on switch A.
Add all interfaces on the REUP switching path of switch A to the same MAC address update group.
D
SwitchD> enable
SwitchD(config)# exit
E
SwitchE> enable
SwitchE(config)# exit
Configuration Guide Configuring REUP
B
SwitchB# configure terminal
SwitchB(config-if-range)# end
C
SwitchB# configure terminal
SwitchB(config-if-range)# end
A
SwitchA# configure terminal
SwitchA(config-if-range)# end
Verification Check the information about the address update groups on switches D, E, C, B and A.
D
SwitchD# show run | incl mac-ad
E
SwitchE# show run | incl mac-ad
B
SwitchB# show mac-address-table update group detail
--------------------------------------------------------------------------------------------
Gi0/1 0 0000.0000.0000
Gi0/2 0 0000.0000.0000
Gi0/3 0 0000.0000.0000
C
SwitchC# show mac-address-table update group detail
--------------------------------------------------------------------------------------------
Gi0/1 0 0000.0000.0000
Gi0/2 0 0000.0000.0000
Gi0/3 0 0000.0000.0000
A
SwitchA# show mac-address-table update group detail
--------------------------------------------------------------------------------------------
Gi0/1 0 0000.0000.0000
Gi0/2 0 0000.0000.0000
Common Errors
Notes
The Access interface cannot be shared by VLAN load balance and STP.
Configuration Guide Configuring REUP
For interfaces successfully configured with VLAN load balance, you cannot modify the attributes of the interfaces but
can modify the VLAN attributes of the interfaces.
Configuration Steps
If there is a requirement for VLAN load balance, corresponding configuration must be performed.
Verification
Run the show interfaces switchport backup [detail] command to check whether VLAN load balance is configured.
Related Commands
Configuration Example
Scenario As shown in Figure 1-6, there are two upstream links from switch D to switch A, which are switch D > switch
B > switch A and switch D > switch C > switch A. There are two upstream links from switch E to switch A,
which are switch E > switch B > switch A and switch E > switch C > switch A.
Configuration Configure instance mappings on switch D (E) to map VLAN 1 to instance 1, VLAN 2 to instance 2,
Steps VLAN 3 to instance 3, and VLAN 4 to instance 4. For details, see the MSTP Configuration Guide.
Configure the VLAN load balance function on switch D (E).
D
SwitchD> enable
E
SwitchE> enable
Configuration Guide Configuring REUP
Verification Check the dual link backup information configured for switch D (E).
D
SwitchD#show interfaces switchport backup detail
--------------------------------------------------------------------------
Mapping VLAN 2
E
SwitchE#show interfaces switchport backup detail
--------------------------------------------------------------------------
Mapping VLAN 4
Common Errors
The mappings between VLAN IDs and instances are not configured.
After detecting that the upstream link is disconnected, forcibly disconnect the downstream link so that link switching can
be performed.
Notes
For the link state tracking function, each interface belongs to only one link state tracking group and each device can be
configured with up to 2 link state tracking groups. Each link state tracking group can have 8 upstream interfaces and
256 downstream interfaces.
Configuration Steps
Mandatory.
Verification
Run the show link state group command to view the configured link tracking information.
Related Commands
Configuration Example
As shown in Figure 1-6, there are two upstream links from switch D to switch A, which are switch D > switch
Scenario
B > switch A and switch D > switch C > switch A. There are two upstream links from switch E to switch A,
which are switch E > switch B > switch A and switch E > switch C > switch A.
Configuration Create link tracking group 1 on switch B (C).
Steps On switch B (C), add the interfaces Gi0/1 and Gi0/2 as downstream interfaces of the link tracking group
and add the interface Gi0/3 as an upstream interface of the link tracking group.
Configuration Guide Configuring REUP
B
SwitchB> enable
SwitchB(config-if-GigabitEthernet 0/2)#exit
SwitchB(config-if-GigabitEthernet 0/3)#exit
C
SwitchC> enable
SwitchC(config-if-GigabitEthernet 0/2)#exit
SwitchC(config-if-GigabitEthernet 0/3)#exit
Verification
Check the link tracking group information configured for switch B (C).
B
SwitchB#show link state group
Common Errors
Interfaces are added to a link tracking group when the link tracking group is not enabled.
1.5 Monitoring
Displaying
Description Command
Displays the dual link backup information of show interfaces[ interface-id]switchport backup [detail]
REUP.
Displays the configurations of an MAC show mac-address-table update group [detail]
address update group.
Displays the REUP statistics about sent show mac-address-table move update
MAC address update messages.
Displays the information about a link state show link state group
tracking group.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Enables all REUP debugging. debug reup all
Debugs the normal running process of debug reup process
REUP.
Debugs MAC address update messages of debug reup packet
REUP.
Debugs MAC address update packets of debug reup macupdt
REUP.
Debugs hot backup. debug reup ha
Debugs errors occurring in REUP running. debug reup error
Debugs received events. debug reup evnet
Debugs statistics when show operations are debug reup status
performed.
Configuration Guide Configuring RLDP
2 Configuring RLDP
2.1 Overview
The Rapid Link Detection Protocol (RLDP) achieves rapid detection of unidirectional link failures, directional forwarding
failures and downlink loop failures of an Ethernet. When a failure is found, relevant ports will be closed automatically
according to failure treatment configuration or the user will be notified to manually close the ports to avoid wrong flow
forwarding or an Ethernet layer-2 loop.
2.2 Applications
Application Description
Unidirectional Link Detection Detect a unidirectional link failure.
Bidirectional Forwarding Detection Detect a bidirectional link failure.
Downlink Loop Detection Detect a link loop.
Scenario
As shown in the following figure, A is connected to B via optical fiber. The two lines are the Tx and Rx lines of optical fiber.
Unidirectional link detection is enabled on A and B. If any of the Tx of Port A, Rx of Port B, Tx of Port B and Rx of Port A fails,
a unidirectional failure will be detected and treated under the RLDP. If the failure is eliminated, the administrator may
manually restore the RLDP on A and B and resume detection.
Figure 2-1
Deployment
Configure unidirectional link detection under Port A and Port B and define a method for failure treatment.
Configuration Guide Configuring RLDP
Scenario
As shown in the following figure, A is connected to B via optical fiber, and the two lines are Tx and Rx lines of optical fiber.
Unidirectional link detection is enabled on A and B. If the Tx of Port A, Rx of Port B, Rx of Port A and Tx of Port B all fail, a
bidirectional failure will be detected and treated under the RLDP. If the failure is eliminated, the administrator may manually
restore the RLDP on A and B and resume detection.
Figure 2-2
Deployment
Configure BFD under Port A and Port B and define a method for failure treatment.
Scenario
As shown in the following figure, A, B and C are connect into a loop. Downlink loop detection is enabled on A, and a loop is
detected and treated.
Figure 2-3
Deployment
Configure downlink loop detection on the Gi 2/0/1 and Gi 2/0/9 ports of A, and define a method for failure treatment.
2.3 Features
Most Ethernet link detection mechanisms detect link connectivity through automatic physical-layer negotiation. However, in
some cases devices are connected on the physical layer and operate normally but layer-2 link communication is disabled or
abnormal. The RLDP recognizes a neighbor device and detects a link failure through exchanging Prob packets, Echo
packets or Loop packets with the device.
Basic Concepts
A unidirectional link failure occurs in case of a cross-connected optical fiber, a disconnected optical fiber, an open-circuit
optical fiber, one open-circuit line in a twisted-pair cable, or unidirectional open circuit of an intermediate device between two
devices. In such cases, one end of a link is connected and the other disconnected so that flow is forwarded wrongly or a loop
guard protocol (for example, the STP) fails.
A bidirectional link failure occurs in case of two optical fibers, two open-circuit lines in a twisted-pair cable, or bidirectional
open circuit of an intermediate device between two devices. In such cases, the both ends of a link are disconnected so that
flow is forwarded wrongly.
Loop Failure
RLDP Packet
The RLDP defines three types of packets: Prob packets, Echo packets and Loop packets.
Prob packets are layer-2 multicast packets for neighbor negotiation, and unidirectional or bidirectional link detection.
The default encapsulation format is SNAP, which changes automatically to EthernetII if a neighbor sends EthernetII
packets.
Echo packets are layer-2 unicast packets as response to Prob packets and used for unidirectional or bidirectional link
detection. The default encapsulation format is SNAP, which changes automatically to EthernetII if a neighbor sends
EthernetII packets.
Loop packets are layer-2 multicast packets for downlink loop detection. They can only be received. The default
encapsulation format is SNAP.
Configuration Guide Configuring RLDP
A detection interval and the maximum detection times can be configured for the RLDP. A detection interval determines the
period of sending Prob packets and Loop packets. When a device receives a Prob packet, it replies with an Echo packet
immediately. A detection interval and the maximum detection times determine the maximum detection time (equal to a
detection interval × the maximum detection times + 1) for unidirectional or bidirectional link detection. If neither Prob nor Echo
packet from a neighbor can be received within the maximum detection time, the treatment of unidirectional or bidirectional
failure will be triggered.
When configured with unidirectional or bidirectional link detection, a port can learn a peer-end device as its neighbor. One
port may learn one neighbor, which is variable. If negotiation is enabled, unidirectional or bidirectional link detection starts
after a port finds a neighbor through negotiation, which succeeds when a port receives a Prob packet from the neighbor.
However, if the RLDP is enabled under a failure, the port cannot learn a neighbor so that detection cannot start. In this case,
recover the link state before enabling the RLDP.
Warning: Only print Syslog to indicate a failed port and a failure type.
Shutdown SVI: Print Syslog, and then inquire an SVI according to the Access VLAN or Native VLAN of a port and shut
down the SVI if the port is a physical exchange port or layer-2 AP member port.
Port violation: Print Syslog, and configure a failed port as in violation state, and the port will enter Linkdown state
physically.
Block: Print Syslog, and configure the forward state of a port as Block, and the port will not forward packets.
Manual reset: Manually reset all failed ports to initialized state and restart link detection.
Manual or automatic errdisable recovery: Recover all failed ports to initialized state manually or regularly (30s by default
and configurable) and restart link detection.
Automatic recovery: Under unidirectional or bidirectional link detection, if the treatment for failed ports is not specified as
port violation, recover ports to initialized state based on Prob packets and restart link detection.
error: Indicates the state of a port after a unidirectional or bidirectional link failure or a loop failure is detected.
Overview
Feature Description
Configuration Guide Configuring RLDP
Deploying RLDP Enable unidirectional or bidirectional link detection or downlink loop detection for failures and
Detection implement treatment.
Working Principle
When this function is enabled, a port sends Prob packets and receives Echo packets from a neighbor regularly as well as
receiving Prob packets from a neighbor and replying with Echo packets. Within the maximum detection time, if the port
receives Prob packets but no Echo packets, or none of them, treatment for a unidirectional failure will be triggered and
detection will stop.
When this function is enabled, a port sends Prob packets and receives Echo packets from a neighbor regularly as well as
receiving Prob packets from a neighbor and replying with Echo packets. Within the maximum detection time, if the port
receives neither Prob packets nor Echo packets from a neighbor, treatment for a bidirectional failure will be triggered and
detection will stop.
When this function is enabled, a port sends Loop packets regularly. In the following cases, a loop failure will be triggered after
the same port or a different port receives the packets: in one case, the egress and ingress ports are the same routed port or
layer-3 AP member port; in another case, the egress and ingress ports are exchange ports or layer-2 AP member ports in a
same default VLAN and in Forward state. Treatment for the failure will be implemented and detection will stop.
Related Configuration
You may run the global command rldp enable or the interface command rldp port to enable RLDP detection and specify a
detection type and treatment.
You may run the rldp neighbor-negotiation command to neighbor negotiation, the rldp detect-interval to specify a
detection interval, the rldp detect-max to specify detection times, or the rldp reset to recover a failed port.
2.4 Configuration
Configuring Basic RLDP (Mandatory) It is used to enable RLDP detection under global configuration mode.
Functions
rldp enable Enables global RLDP detection on all ports.
Configuration Guide Configuring RLDP
(Mandatory)It is used to specify under interface configuration mode a detection type and
failure treatment for an interface.
Enable RLDP unidirectional link detection, bidirectional forwarding detection, or downlink loop detection to discover
failures.
Notes
Loop detection is effective to all member ports of an AP when configured on one of the ports. Unidirectional link
detection and bidirectional forwarding detection are effective only on an AP member port.
The loop detection on a physical port added to an AP shall be configured the same as that of the other member ports.
There are three cases. First, if loop detection is not configured on a newly-added port but on the existing member ports,
the new port adopts the configuration and detection results of the existing ports. Second, if a newly-added port and the
existing member ports have different loop detection configuration, the new port adopts the configuration and detection
results of the existing ports.
When configuring the RLDP on an AP port, you may configure failure treatment only as "shutdown-port", to which other
configurations will be modified.
When "shutdown-port" is configured on a port, RLDP detection cannot be restored in case of a failure. After
troubleshooting, you may run the rldp reset or errdisable recovery command to restore the port and resume detection.
For configuration of the errdisable recovery command, please refer to the Configuring Interface.
Configuration Steps
Configuration Guide Configuring RLDP
Enabling RLDP
Mandatory.
Optional.
Enable the function under global configuration mode, and port detection will be started under successful neighbor
negotiation.
Optional.
Optional.
Mandatory.
Configure unidirectional RLDP detection, bidirectional RLDP detection or downlink loop detection under interface
configuration mode, and specify failure treatment.
Optional.
Enable this function under privileged mode to restore all failed ports and resume detection.
Verification
Related Commands
Mode
Usage Guide Enable global RLDP detection.
Configuration Example
As shown in the following figure, the aggregation and access sections are in a ring topology. The STP is
Scenario
enabled on all devices to prevent loop and provide redundancy protection. To avoid a unidirectional or
Figure 2-4
bidirectional link failure resulting in STP failure, RLDP unidirectional and bidirectional link detection is
enabled between aggregation devices as well as between an aggregation device and the access device. To
avoid loop due to wrong downlink connection of the aggregation devices, enable RLDP downlink loop
detection on the downlink ports of the aggregation devices and of the access device. To avoid loop due to
wrong downlink connection of the access device, enable RLDP downlink loop detection on the downlink
ports of the access device.
Configuration SW A and SW B are aggregation devices, and SW C is an access device. Users connected to SW C.
Steps SW A, SW B and SW C are structured in a ring topology, and the STP is enabled on each of them. For
STP configuration, refer to relevant configuration guide.
Enable the RLDP on SW A, enable unidirectional and bidirectional link detection on the two ports, and
enable loop detection on the downlink port.
Enable the RLDP on SW B, enable unidirectional and bidirectional link detection on the two ports, and
enable loop detection on the downlink port.
Enable the RLDP on SW C, enable unidirectional and bidirectional link detection on the two uplink
ports, and enable loop detection on the two downlink ports.
A A#configure terminal
A(config)#rldp enable
A(config-if-GigabitEthernet 2/0/1)#exit
C C#configure terminal
C(config)#rldp enable
C(config-if-GigabitEthernet 0/50)#exit
C(config-if-GigabitEthernet 0/1)#exit
C(config-if-GigabitEthernet 0/2)#exit
-----------------------------------
action: shutdown-port
state : normal
action: shutdown-port
state : normal
action: shutdown-port
state : normal
action: shutdown-port
state : normal
action: shutdown-port
state : normal
Common Errors
RLDP functions and private multicast address authentication or TPP are enabled at the same time.
Neighbor negotiation is not enabled when configuring unidirectional or bidirectional link detection. The RLDP should be
enabled on a neighbor device, or otherwise a unidirectional or bidirectional failure will be detected.
If RLDP detection is configured to be implemented after neighbor negotiation while configuring unidirectional or
bidirectional link detection, detection cannot be implemented as no neighbor can be learned due to a link failure. In this
situation, you are suggested to recover the link state first.
You are suggested not to specify the failure treatment as Shutdown SVI under a routed port.
Configuration Guide Configuring RLDP
You are suggested not to specify the failure treatment as Block for a port, on which a loop protection protocol is enabled,
for example, the STP.
Common Errors
When the exec-cmd command is executed for interface configuration, the input of the corresponding AP wired port is
incorrect.
When the RLDP loop detection configurations are modified, the no exec-cmd command is not executed to delete the
original configurations or the exec-cmd command is not re-executed to cancel the configurations.
2.5 Monitoring
Displaying
Description Command
Displays RLDP state. show rldp [ interface interface-name ]
Configuration Guide Configuring DLDP
3 Configuring DLDP
3.1 Overview
The Data Link Detection Protocol (DLDP) is a protocol used to quickly detect faulty Ethernet links.
A typical Ethernet link detection mechanism detects physical link connectivity through autonegotiation at the physical layer.
Such a mechanism has limitations when detecting Layer-3 data communication exceptions despite normal physical
connections.
DLDP provides reliable Layer-3 link detection information. After detecting a faulty link, DLDP shuts down the logical state of
Layer-3 ports to realize fast Layer-3 protocol convergence.
3.2 Applications
Application Description
Intra-Network Segment DLDP The source IP address of the detected port and the detected IP address are in the
Detection same network segment.
Inter-Network Segment DLDP The source IP address of the detected port and the detected IP address are in
Detection different network segments.
Scenario
This section describes the basic DLDP application scenario where the source IP address of the detected port and the
detected IP address are in the same network segment.
In Figure 3-1, the Gi 0/1 Layer-3 port on Switch A and the Gi 0/2 Layer-3 port on Switch C are in the same network segment.
To detect the Layer-3 link connectivity from Gi 0/1 to Gi 0/2, enable DLDP on Gi 0/1 or Gi 0/2.
Figure 3-1
Deployment
Scenario
This section describes the DLDP application scenario where the source IP address of the detected port and the detected IP
address are in different network segments.
In Figure 3-2, the Gi 0/1 Layer-3 port on Switch A and the Gi 0/4 Layer-3 port on Switch D are in different network segments.
To detect the Layer-3 link connectivity from Gi 0/1 to Gi 0/4, enable DLDP on Gi 0/1 and configure the DLDP next-hop IP
address (IP address of the Gi 0/2 port on Switch B).
Figure 3-2
Deployment
3.3 Features
Basic Concepts
Detection interval: Indicates the interval at which DLDP detection packets (ICMP echo) are transmitted.
Retransmission times: Indicate the maximum times DLDP detection packets can be retransmitted in the case of a DLDP
detection failure.
When a network device does not receive a reply packet from the peer end within the period of the detection interval multiplied
by the retransmission times, the device determines that a Layer-3 link failure occurs and shuts down the logical state of its
Layer-3 port (despite the normal physical link connection). When Layer-3 link connectivity is recovered, the device restores
its Layer-3 port to Up logical state.
Active mode and passive mode are two DLDP detection modes.
Next hop: Indicates the next node connected to the detected IP address in inter-network segment DLDP detection.
In some cases, DLDP needs to detect IP reachability in non-directly connected network segments. You need to configure the
next-hop IP address for the detected port to allow DLDP to obtain the next-hop MAC address through an ARP packet before
sending a correct ICMP packet.
In this situation, you need to avoid the return of the reply packet from another link; otherwise, DLDP will misjudge that the
detected port does not receive an ICMP reply.
Recovery times: Indicate the times DLDP needs to receive consecutive reply packets (ICMP reply) before it can determine
link failure recovery.
In some cases, link detection may be unstable. For example, a link is only intermittently pingable. In this case, DLDP
repeatedly changes the link status between Up and Down, which may further destabilize the ring network.
Recovery times indicate the times DLDP needs to receive consecutive reply packets before DLDP can set the link in Down
state to Up. The default recovery times are three times, indicating that the link needs to be successfully pinged three times
before it is set to Up. The recovery times setting reduces link detection sensitivity but increases stability. Related parameters
are adjustable according to the network condition.
Bound MAC address: Indicates the MAC address bound to the detected IP address.
In a complex network environment, DLDP may obtain an invalid MAC address if the detected link has abnormal ARP packets
transmitted (causing ARP spoofing), which will make DLDP detection abnormal.
To address this problem, you can bind the detected IP address (or next-hop IP address) to a static MAC address to avoid a
DLDP failure in the case of ARP spoofing.
Overview
Feature Description
DLDP Detection Detects Layer-3 link connectivity. When a Layer-3 link is abnormal, DLDP shuts down the Layer-3
port.
MAC Address Binds the detected IP address to the MAC address of the detected device to avoid DLDP exceptions
Binding otherwise caused by ARP spoofing.
Passive DLDP When both ends of the detected link are enabled with DLDP, you can configure one end in passive
Detection mode to save bandwidth and CPU resources.
Configuration Guide Configuring DLDP
Working Principle
After DLDP detection is enabled, DLDP sends an ARP packet to obtain the MAC address and outbound port of the detected
device or the next-hop device. Then DLDP periodically sends IPv4 ICMP echo packets to the MAC address and outbound
port to detect link connectivity. If DLDP does not receive an IPv4 ICMP reply packet from the detected device within a specific
period, DLDP determines that the link is abnormal and sets the Layer-3 port to Down.
Related Configuration
Run the dldp command with the detected IP address specified to enable DLDP detection.
You can configure the next-hop IP address, MAC address of the detected device, transmission interval, retransmission times,
and recovery times based on the actual environment.
Working Principle
You can bind the detected IP address (or next-hop IP address) to a static MAC address to avoid a DLDP failure in the case of
ARP spoofing.
Related Configuration
Bind the MAC address of the detected device when you run the dldp command to enable DLDP detection. If the next-hop IP
address is specified, bind the MAC address of the next-hop device.
After DLDP detection is enabled, DLDP sends ARP packets and ICMP packets with a fixed destination IP address and a
fixed destination MAC address. If the source IP address and MAC address in the received packet do not match the bound IP
address and MAC address, DLDP will not process the packet.
Working Principle
Configuration Guide Configuring DLDP
After the device at the local end sends an ICMP echo packet, the peer device determines link connectivity according to the
packet reception time by using specific detection parameters, which are the same as those at the local end, thus saving
bandwidth and CPU resources.
Related Configuration
After passive DLDP detection is enabled, DLDP will return an ICMP reply packet upon receiving an ICMP echo packet,
instead of actively sending ICMP echo packets to the peer end. If DLDP does not receive an ICMP echo packet within a
specific period, it determines that the link to the peer port is abnormal.
3.4 Configuration
Detect Layer-3 link connectivity. When a Layer-3 link is abnormal, DLDP shuts down the Layer-3 port.
Notes
DLDP supports the configuration of multiple IP addresses on a Layer-3 port. DLDP sets the port to Down when none of
the IP addresses receives an ICMP reply. If one IP address resumes communication, DLDP sets the port to Up again.
DLDP uses the first IP address of the Layer-3 port as the source IP address of detection packets.
Configuration Steps
Mandatory.
When you enable DLDP detection in interface configuration mode, you can configure the next-hop IP address, MAC
address, transmission interval, retransmission times, and recovery times based on the actual environment.
Optional.
You can configure active or passive DLDP detection in interface configuration mode based on the actual environment.
If DLDP detection needs to be enabled at both ends of a Layer-3 link, you can configure passive DLDP detection at one
end to save bandwidth and CPU resources.
Optional.
You can modify the parameters of DLDP detection on all ports in global configuration mode based on requirements.
The parameters include the packet transmission interval, packet retransmission times, and recovery times.
Verification
Display the device DLDP information, including the status and statistics of DLDP detection on all ports.
Related Commands
Command dldp ip-address [ next-hop-ip ] [ mac-address mac-addr ] [ interval tick ] [ retry retry-num ] [ resume
resume-num ]
Parameter ip-address: Indicates the detected IP address.
Description next-hop-ip: Indicates the next-hop IP address.
mac-addr: Indicates the MAC address of the detected device to be bound. If the next-hop IP address is
specified, bind the MAC address of the next-hop device.
tick: Indicates the interval at which detection packets are transmitted. The value ranges from 5 to 6,000 ticks
(1 tick = 10 ms). The default value is 100 ticks (1s).
retry-num: The value ranges from 1 to 3,600. The default value is 4.
resume-num: Indicates the recovery times. The value ranges from 1 to 200. The default value is 3.
Command Interface configuration mode
Mode
Usage Guide The port to be enabled with DLDP detection must be a Layer-3 port, such as a router port, L3AP port, and
SVI port.
Parameter N/A
Description
Command Interface configuration mode
Mode
Usage Guide You need to enable DLDP detection before configuring a DLDP detection mode.
Configuration Example
Enabling DLDP Detection on Layer-3 Ports on Device A and Device B in a Layer-3 Network
Scenario
Figure 3-3
Configuration Guide Configuring DLDP
Verification Enable DLDP detection on the Gi 0/1 and Gi 0/2 router ports on Device A to detect the Layer-3 link
connectivity between Device A and Device B and that between Device A and Device D.
To control the Gi 0/2 router port of Device B, enable passive DLDP detection on the port.
A
A#configure terminal
B
B#configure terminal
Verification Display the DLDP status on Device A and Device B to check whether DLDP detection is enabled and
works normally.
A
A# show dldp
B
B# show dldp
Common Errors
DLDP detection fails because the peer device does not support ARP/ICMP replies.
3.5 Monitoring
Clearing
Configuration Guide Configuring DLDP
Description Command
Clears DLDP statistics. clear dldp [ interface interface-name [ ip-address ] ]
Displaying
Description Command
Displays the DLDP status. show dldp [ interface interface-name ]
Displays the DLDP statistics on the show dldp statistic
Up/Down port sates.
Configuration Guide Configuring IP Event Dampening
4.1 Overview
When the Layer-3 port on a Layer-3 device frequently goes Up and Down due to manual enabling/disabling or other external
causes, the routing table on the device will flap repeatedly. If a routing protocol is configured, the protocol may propagate the
flap to the entire network, causing repeated updates and recalculation of neighboring routes, which wastes network
bandwidths and destabilizes the network. Repeated route updates and recalculation on devices consume many CPU
resources, which affects the normal running of customer networks.
IP Event Dampening detects abnormal Up/Down flapping and automatically suppresses frequent port state changes, which
prevents the propagation of single-point link failures by a routing protocol. When the port is restored, it will be automatically
unsuppressed, thus reducing network flaps and CPU resource consumption while improving network stability.
At its core, the suppression algorithm used by IP Event Dampening is the same as that used by BGP Route Flap
Dampening.
4.2 Applications
Application Description
Routed Port Flap Monitors the state change of the Layer-3 port on a router, and suppresses frequent port
Dampening flapping.
In a network that runs a routing protocol, when a port on a router connected to another router frequently goes Up and Down,
neighboring routes will be repeatedly updated and recalculated. The routing protocol may propagate the flap to the entire
network, causing a network flap. IP Event Dampening can be enabled on the connected routers to monitor port state
changes and suppress frequent port flapping, thus reducing network flaps and CPU resource consumption while improving
network stability.
Configuration Guide Configuring IP Event Dampening
Figure 4-1
Deployment
The subinterfaces and the virtual templates of interfaces on routers do not support the dampening feature.
4.3 Features
Basic Concepts
Penalty
A port that goes Up or Down gets a penalty for each state change, but the penalty decays exponentially when the port is
stable. In this way, port behaviors can be sensed and controlled intelligently.
Suppress Threshold
When the cumulative penalty of a port exceeds a suppress threshold, the port is considered to flap and will be suppressed.
Half-Life Period
The half-life period is the period required for the penalty to decrease to half of the original value when the port is stable. It
defines the speed at which the penalty decays exponentially. The shorter the half-life period, the faster the penalty decays,
and the faster the port is detected to be stable, but the flap detection sensitivity is reduced.
Reuse Threshold
When the port no long flaps and its penalty decays to a certain degree (below the suppress threshold), the port is considered
to be stable and is unsuppressed.
When a port keeps flapping and reaches a very large penalty, the port will not be usable for a long time. To avoid this
problem, the maximum suppress time is defined to always maintain the port suppression duration below a certain value no
matter how long the port has flapped.
Configuration Guide Configuring IP Event Dampening
Overview
Feature Description
Port Flap Configure the criteria and parameters of flap suppression on ports to enable switches or routers to
Suppression identify and suppress frequently flapping ports, which ensures route stability and avoids route flap
propagation.
A port configured with IP Event Dampening is assigned a penalty. The port gets a penalty of 1,000 each time when it goes
Down, but the penalty decreases with time. If the port goes Down again, the penalty increases accordingly. When the
cumulative penalty exceeds the suppress threshold, the port will be suppressed. For the affected upper-layer protocol, the
suppressed port is always Down no matter what the actual port state is. When the penalty decreases to the reuse threshold,
the port will be unsuppressed, and the upper-layer protocol can sense the actual port state.
If a Layer-3 port is not configured with IP Event Dampening, or is not suppressed by it, the routing protocol or other protocol
concerned about the port status still work normally. When the port is suppressed, the upper-layer protocol considers the port
to be Down. Any state change of the port before the port is unsuppressed does not affect the routing table and the route
calculation and advertisement performed by the upper-layer routing protocol.
Related Configuration
4.4 Configuration
When a port configured with IP Event Dampening keeps flapping until the predefined threshold is exceeded, the port is set to
Down.
Notes
Configuration Guide Configuring IP Event Dampening
When a Layer-3 port on a switch is converted to a Layer-2 port (for example, from a routed port to a switch port), the IP
Event Dampening configuration on the port will be deleted.
Only the main interface on a router can be configured with IP Event Dampening. The configuration takes effect for all
subinterfaces of the main interface, but you cannot run the dampening command directly on subinterfaces and virtual
templates.
Configuration Steps
Mandatory.
You can specify the half-life period, reuse threshold, suppress threshold, maximum suppress time, and initial penalty. If
you do not set these parameters, their default values will be used.
Verification
Use any one of the following commands to check whether the configuration takes effect:
show running-config
show interfaces [ interface-id ] dampening, which is used to check the IP Event Dampening configuration on a
specified port
Related Commands
suppress threshold, the port will never be suppressed. When such a configuration error occurs, the following
message indicating a configuration failure will be printed:
% Maximum penalty (10) is less than suppress penalty (2000). Increase maximum suppress time
If the available system memory is insufficient to run the dampening command, the following message
indicating a configuration failure will be printed:
Configuration Example
Scenario
Figure 4-2
Configuration Enable IP Event Dampening on port GigabitEthernet 0/1 on Router A and on port GigabitEthernet 0/1 on
Steps Router B respectively, and set half-time-period to 30s, reuse-threshold to 1,500, suppress-threshold to
10,000, and max-suppress to 120s.
A
Ruijie(config)#interface GigabitEthernet 0/1
B
Ruijie(config)#interface GigabitEthernet 0/1
Verification Run the show interfaces dampening command to check the IP Event Dampening configuration on the
corresponding ports.
GigabitEthernet 0/1
Flaps Penalty Supp ReuseTm HalfL ReuseV SuppV MaxSTm MaxP Restart
Common Errors
The port on a Layer-3 switch is not converted to a routed port by using the no swithport command before IP Event
Dampening is configured.
Configuration Guide Configuring IP Event Dampening
4.5 Monitoring
Clearing
Description Command
Clears the interface counters. clear counters
For details about the clear counter command, see the related chapter for the "Interface" command.
Displaying
Description Command
Displays the counters on suppressed show dampening interface
ports.
Displays the IP Event Dampening show interfaces dampening
configuration on ports.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Enables debugging of IP Event debug dampening interface
Dampening.
Configuration Guide Configuring VSU
5 Configuring VSU
5.1 Overview
In order to improve the reliability of networks, the two devices at core layer and convergence layer of traditional networks are
configured with two cores to provide redundancy. Access and convergence devices are respectively connected to the cores
through two links. The following figure shows a typical traditional network architecture. Redundant network architecture
increases the complexity of network design and operation. At the same time, a large number of redundant links reduce the
utilization of network resources and return on investment.
Virtual Switching Unit (VSU) is a kind of network system virtualization technology that supports combining multiple devices
into a single virtualized device. As shown in Figure 5-2, access, convergence and core layer devices can respectively form
VSUs, and then these VSUs connect to one another to form an end-to-end VSU network. Compared with traditional network,
this networking can:
5.2 Applications
Application Description
Managing Multiple Devices in a Uses multiple physical devices as a logical device for unified management.
Unified Manner
Simplifying Networking Topology Uses a VSU as a logical device to simplify the networking topology.
When multiple physical devices form a VSU system, the physical devices can be viewed as a logical device. All
configurations are managed on the global master device.
As shown in Figure 5-3, four devices (numbered as 1, 2, 3, and 4 from left to right) form a VSU system. Device 1 is the global
master device, device 2 is the global slave device, and devices 3 and 4 are the global candidate devices.
Figure 5-3
Remarks The devices from left to right in Figure 5-3 are Device 1, Device 2, Device 3 and Device 4.
For details on VSL, see the description in section 1.3.1.
Configuration Guide Configuring VSU
Deployment
The global master device controls the entire VSU system, runs control-plane protocols and is involved in data
forwarding.
The global slave device is involved in data forwarding, does not run control-plane protocols, and works as the backup
and takes over the work of the global master device when faulty.
The global candidate devices are involved in data forwarding and do not run control-plane protocols. When the global
slave device is faulty, a global candidate device can take over the work of the global slave device. In this case, when the
global master and slave devices are faulty, the VSU system will restart.
In traditional networks as shown in Figure7-4, redundant devices and lines need to be added to increase the networking
reliability; however, many algorithms also need to be introduced to prevent loops, which make the networking more complex.
In the VSU system, all devices are viewed as a logical device. Different devices back up each other, and no loop prevention
algorithm needs to be introduced, which can simplify the network.
Two aggregate switches form a VSU system. It is unnecessary to configure a loop prevention algorithm. The two
switches are redundant mutually.
The access switch is connected to the aggregate switches through the uplink AP.
When a switch in the VSU system is faulty, the other link still works.
Figure7-4
Deployment
The global master device controls the entire VSU system, runs control-plane protocols and is involved in data
forwarding.
Configuration Guide Configuring VSU
The global slave device is involved in data forwarding, does not run control-plane protocols, and works as the backup
and takes over the work of the global master device when the global master device is faulty.
The access switch is oriented to users and allows access by users' devices.
5.3 Features
Basic Concepts
VSU System
VSU system is a single logical entity consisting of two or multiple devices in traditional network architecture. For example, the
convergence layer VSU system as shown in the following figure can be seen as a single device that interacts with the core
layer and access layer.
In the above VSU network structure, the member devices form a logical entity through internal links and the access layer
devices are connected to the VSU through aggregated links. In this way, there is no layer 2 loop between the access and
convergence layers.
Except the core and convergence layer devices, the access layer devices can also form a VSU system. A server that
requires high availability can adopt multiple network cards to form an Aggregate Port (AP) to connect access layer devices.
Since AP can only connect to the same access device, the risk of single device fault increases. In this case, VSU can be
used to solve the problem. In the VSU mode, a server adopts multiple network cards and binds them into an AP to connect
different member devices in the same VSU group. This way can prevent single point failure and network interruption caused
by single link failure.
Configuration Guide Configuring VSU
VSU Domain ID
A VSU domain has only one ID. Only the devices with the same domain IDs can form a VSU system.
Member Device ID
Every member device in a VSU system has a unique ID, namely, Switch ID. Switch IDs can be used in device management
or configuring interfaces on member devices. You need to configure an ID for a device when adding the device to a VSU
system and ensure that the ID is unique in the same VSU system. If an ID conflict occurs, the VSU system will reserve one
device according priority.
A VSU system consists of several devices. When establishing a VSU system, you need to select a global master device and
a global slave device. All other devices are global candidate devices. A global master device is elected from multiple
devices based on an election protocol. All other devices are global slave devices in the 1: N hot standby mode. When the 1:1
hot standby mode is supported, one device is the global master device, one device is the global slave device, and all other
devices are global candidate devices.
The global master device is responsible for controlling the entire VSU system, running control plane protocols and
participating in data forwarding. Other devices, including the global slave devices and candidate devices, participate in data
forwarding but do not run control plane protocols. All received control plane data flows are forwarded to the global master
device for processing.
The global slave device also receives the statuses of the global master device in real-time and provide 1:1 or 1:N redundancy
with the global master device. If the global master device becomes faulty, the global slave device will take over services from
the master device and manage the entire VSU system.
The following is the method for selecting the master device of a VSU system:
1. Rules for selecting the master device of a VSU system include (Continue with the next rule if the previous rule does not
help in selecting the master device): a) Select the currently running host as the master device with the highest priority
(All devices are not master devices during startup). b) Select the device with the highest priority as the master device. c)
Select the device with the lowest device No. as the host. d) Select the device with the smallest MAC address as the
master device.
2. In the 1:N hot standby mode, select the device that has the most familiar configurations with the master device as the
slave device to prevent dual active devices. The selection order is: the nearest/the highest priority/the smallest MAC
address.
3. VSU system supports hot adding a support device. Even the hot added device has a higher priority than the master
device has, the VSU system does not perform active/standby switch.
4. The startup order of member device may affect the election of master device. A member device may not join in the VSU
system because it starts up too slowly. In this case, the device will be hot added to the VSU system. Even the device
has a higher priority than the master device, the VSU system does not perform active/standby switchover.
Overview
Feature Description
Configuration Guide Configuring VSU
Virtual Switching Link (VSL) In a VSU system, a virtual link is used to connect all devices.
Topology Describes the internal topology of a VSU system.
Dual-Active Detection (DAD) Avoids that dual master switches coexist in a VSU domain.
System Management Describes possible connections between external devices and VSU devices.
Quick Blinking Location Manages devices in the VSU system.
VSL
The VSU system is a network entity that consists of multiple devices. These devices need to share control information and
part of data streams. The VSL is a special link used for transmission of control information and data streams among devices
of the VSU system. For example, the VSL can be established between two devices through 10 Gigabit Ethernet interfaces.
Figure 5-7 shows the position of the VSL in the VSU system.
The VSL exists in the form of AP groups. The data streams transmitted through the VSL balance load among the aggregation
port members according to the traffic balancing algorithm.
VSL Traffic
The control streams transmitted through the VSL between devices include:
1. The protocol packets received by the member devices: These protocol packets need to be forwarded through the VSL
to the global master device for processing.
2. The protocol packets processed by the global master device: These protocol packets need to be forwarded through the
VSL to the interfaces of other member devices and then sent to the peer devices by these interfaces.
The data streams transmitted through the VSL between devices include:
2. The data streams that need to be forwarded across devices and transmitted through the VSL
Furthermore, the internal management packets of the VSU system are also transmitted through the VSL. The management
packets include the protocol information switched by the hot backup and configuration information delivered by the host to
other member devices.
Configuration Guide Configuring VSU
In terms of the switched port analyzer (SPAN) function, the interface associated with the VSL cannot be regarded as the
source port or destination port of the SPAN.
VSL Failure
If a certain member link connected to the VSL AP group fails to work, the VSU will adjust the configurations of the VSL
aggregation port automatically to prevent the traffic from being transmitted through the faulty member link.
If all member links are disconnected to the VSL AP group, the VSU topology will change. If the original VSU topology is a ring
topology, the ring will convert into a line. For details, see topology ring and line conversion in the section of Topology
Changes.
When a large number of consecutive error frames are detected on a VSL interface, the interface must be disabled and
switched to another VSL interface. The detection method is as follows:
If error frames are found on a VSL interface, perform error frame correction. The system detects the VSL interface every 5
seconds by default. If the number of error frames is greater than the value of num as compared with that detected last time, it
is assumed that error frames are detected once. If error frames are detected consecutively for the value of times, it is
assumed that the interface is abnormal. If multiple VSL links are available when error frames are detected, the VSL will be
switched. The last VSL will not be switched in order to prevent topology splitting.
Different user scenarios have different requirements for num and times. The default value of num is 3 and that of times is 10.
If users have strict requirements on the scenarios, select smaller values for num and times; if reverse, select greater values.
5.3.2 Topology
The VSU system supports line topology and ring topology. Devices are connected through a VSL to form a line that is called
the line topology.
Working Principle
Topology
The line topology is simple. It uses a very few ports and cables. Two devices are connected with a communication link only.
Therefore, the VSL has low reliability.
Expect for the line topology, devices can also form a ring topology, as shown in Figure 5-9. In the ring topology, the two
communication links between devices can back up for each other and perform link redundancy to improve the reliability of the
VSU system.
Configuration Guide Configuring VSU
You are advised to select the ring topology for the VSU system, thus the normal operation of the whole VSU system will
not be affected by any single faulty device or VSL.
Besides selecting the ring topology networking, you are advised to configure multiple VSLs for every VSL member to
improve the reliability of a single VSL. At least two links are recommended and a maximum of four links can be
configured. A reasonable configuration comprises more than two VSLs crossing different cards.
Topology Convergence
Before the establishment of the VSU, the member devices need to discover neighbors through topology discovery protocols
and check devices in the VSU system to confirm the range of the management domain. Then a global master device is
selected to manage the whole VSU system and a global slave device is selected for backup of the master device. Then the
whole VSU topology is converged. As the start up time differs for different devices, the first convergence time of the topology
is also different.
In a ring topology, if a VSL link is disconnected, the ring topology will convert into a line topology. The whole VSU system will
still run normally without network disconnection. To prevent other VSL links and nodes from being faulty, you are advised to
locate the VSL failures and recover the availability of the VSL. After the VSL link is recovered, the line topology will convert
into the ring topology.
Topology Splitting
Configuration Guide Configuring VSU
In the line topology, if the VSL link is disconnected, the line topology will be split, as shown in Figure 5-11. A VSU group is
split into two groups. In this condition, two devices with the absolutely same configurations may exist on the network, which
will cause abnormal operation of the network. Therefore, the multi-active detection (MAD) function (for details, see 1.1.4.6
Multi-Active Detection) needs to be deployed to solve the problem of topology splitting.
Topology Combining
If the two VSU groups are connected through the VSL link, the line topology will be combined. During the topology combining,
restart one VSU group and then hot add the other VSU group.
The principle of topology combining: Minimizing influences on the services during topology combining. The rules are as
follows (Judge from the first item. If you cannot select the optimal topology, continue to judge the next item):
Use the device priority as the first criteria for judging topology combining. Reserve the VSU group containing a device
with the highest priority.
If the previous item cannot help make a judgment, select the VSU group with a smaller switch ID (that of the two global
master switches).
If the previous item cannot help make a judgment, reserve the VSU group with a smaller MAC address (that of the
global master switches).
During topology combining of two VSU groups, the two VSU groups need to be elected. The VSU group that fails the
election will restart automatically and hot add to the other VSU group.
When the VSL is disconnected, the slave device switches to the master device. If the original master device is still running, a
series of problems including IP address conflict on the LAN will be caused due to there are two master devices and their
configurations are the same completely. In this condition, the VSU system must detect the two devices and take recovery
measures. The VSU system provides two methods to perform MAD as follows:
AP-based detection
MAD Rules
2. If the previous item cannot help make a judgment, select the VSU group with more physical devices.
3. If the previous item cannot help make a judgment, select the VSU group with a higher health. (Health: total bandwidth of
all physical interfaces (except for management and VSL interfaces) in the UP state in the topology.)
4. If the previous item cannot help make a judgment, select the VSU group with a smaller switch ID (that of the two global
master switches).
5. If the previous item cannot help make a judgment, reserve the VSU group with a smaller MAC address (that of the two
global master switches).
6. If the previous item cannot help make a judgment, reserve the VSU group with a greater startup time (that of the global
master switches).
If DAD is not configured, network interruption may be caused after topology splitting.
BFD
The VSU system supports the BFD to detect multiple master devices. Figure 5-13 shows the topology. A link is added for the
two devices on the edges for MAD specially. When the VSL link is disconnected between the global master and slave
devices, two master devices exist concurrently. If the BFD function is set, the two master devices will send the BFD packets
to each other through the BFD link. Thereby the same devices are detected on the current system. Finally shut down the
VSU system of a master device according to some rules (for details, see the topology combining rules in the section 1.1.4.4
Topology Changes) and enter the recovery state to avoid network abnormality.
When there is a pair of BFD links, you are advised to deploy the detection links at the two ends of the topology.
You need to adopt the extension BFD and you cannot configure the dual-active detection port by using the existing BFD
configurations and commands.
MAD
The VSU system also supports the MAD dual-active detection mechanism. Figure 5-14 shows the topology. The VSU system
and the upstream device both need to support the MAD function. When the VSL link is disconnected, two master devices
exist concurrently. The two master devices respectively send the MAD packets to the member ports of the MAD-APs and
then the MAD packets are forwarded to each other through the upstream device. As shown in Figure 5-14, the MAD-AP has
four member ports. Each member port is connected to a different device of the VSU system. When the topology splitting
occurs, the four member ports all send and receive the MAD packets. Thereby the same devices are detected on the current
system. Finally shut down the VSU system of a master device according to some rules (for details, see the topology
combining rules in the section 5.1.4.4 Topology Changes) and enter the recovery state to avoid network abnormality.
In the topology above, the upstream device must be Ruijie device and support the MAD packet forwarding function.
Cross-device AP Group
An AP binds multiple physical links together to form a logical link. The VSU system supports the AP across the member
devices.
Configuration Guide Configuring VSU
As shown in Figure 5-15, two devices form a VSU group. The external access device Switch A is connected to the VSU in the
form of the AP. In terms of Switch A, there is no difference between the AP in Figure 5-15 and the common AP group.
Troubleshooting
You are advised to configure the cross-device AP with the physical link between the peripheral device and each VSU device.
On the one hand, the VSL bandwidth can be reserved (prioritize the AP member of the same chassis as the egress to
transmitted the cross-chassis AP traffic and prevent unnecessary traffic from being transmitted through the VSL link). On the
other hand, the network reliability can be improved (if a certain chassis is faulty, the member ports of normal devices can
work normally).
The follows sections describe the possible faults of the cross-device AP and the consequences.
If a single link of the cross-device AP is faulty but other links still work normally, the cross-device AP will reallocate the traffic
for the remaining normal links.
Link failure of all cross-device AP member ports on the global master device
If the links of all cross-device AP member ports on the global master device fail to work, only the member ports of other
member devices continue working normally. In terms of the data stream transmitted through the AP to the VSU system, if the
data stream forwarding egress is on the global master device, the system will forward the data stream to the corresponding
egress on the global master device through the VSL link.
The control plane protocols are still running on the global master device. Therefore, the protocol packets that enter the VSU
system need to be forwarded to the global master device through the VSL link for protocol computing.
If all links of the cross-device AP and a single device A fail to work, only the member ports of other member devices continue
working normally. In terms of the data stream transmitted through the AP to the VSU system, if the data stream forwarding
egress is on the member device A, the system will forward the data stream to the corresponding egress on the member
device A through the VSL.
If all links of the cross-device AP fail to work, the interface status will be Link-Down.
If the global master device is faulty, the hot backup switching is performed to switch the original slave device to the master
device. Meanwhile, the member ports on other member devices continue working. The link failure is detected on the peer
device connected to the VSU through this AP. Therefore, the traffic balancing algorithm needs to be adjusted to allocate the
data stream to normal links.
If a member device is faulty, the AP member link connected to this member device is disconnected. However, other member
links still work normally. The link failure is detected on the peer device connected to the VSU through this AP. Therefore, the
traffic balancing algorithm needs to be adjusted to allocate the data stream forwarding paths to normal links.
Traffic Balancing
In a VSU system, traffic may have multiple egresses. The AP and ECMP have their own traffic balancing algorithms, for
example, using destination or source MAC addresses. For details, see the Configuring Aggregate Port. The local forwarding
first (LFF) can be configured detailed in this configuration manual. Packets received by a device are forwarded on this device
first. In this way, packets can be forwarded to other devices without using a VSL.
The master device console of VSU system manages multiple devices on the system simultaneously. The consoles of the
slave and candidate devices do not support command line input. However, you can configure the VSU system on the master
device for a specified member device and log in to the master device console through the serial port of the slave device. A
session can be used to redirect to the master console of a device.
Slot Naming
In terms of the chassis device, in the VSU mode, the slot is named with the device number (Switch ID). Therefore, the slot
number turns from one-dimensional into two-dimensional. For example, cable clip 1/1 indicates the slot numbered 1 of the
slot 1 on a member device.
Interface Naming
In the VSU working mode, a slot number may occur in multiple devices. Therefore, the interface is named with the device
number (Switch ID).
For example, interface gigabitEthernet 1/0/1 indicates the Gigabit port 1 on the slot 0 of the device whose ID is 1; interface
gigabitEthernet 2/0/2 indicates the Gigabit port 2 on the slot 0 of the device whose ID is 2.
In the VSU working mode, you can access to the file system on other member devices from the master device. The detailed
access method is the same to that of the local file system. The unique difference is that different URL prefixes are used.
System Upgrade
Configuration Guide Configuring VSU
Generally the VSU system requires version consistency of the main program version numbers of the member devices.
However, there are so many member devices that it takes too much time and energy to perform upgrade one by one in the
standalone mode and it is also easy to make mistakes. Ruijie switches provide consummate system upgrade solution to help
you with system upgrade by adopting the two methods as follows:
When the VSU system is being established: the system will automatically align the main program version numbers of all
member devices. Once the main program versions are discovered inconsistency, the main program of the master
device will be selected to be synchronized to all member devices.
After the VSU system is established: the main program version will be synchronized to all member devices
automatically by using the file that is downloaded by the TFTP.
SYSLOG
All member devices of the VSU system can display the SYSLOG. The SYSLOG generated by the master device is displayed
on the master device console with the same format to that in the standalone mode. The SYSLOG generated by other
member devices is also displayed on the master device console, but the message format is different from that in the
standalone mode because the device number information is added.
For example, the SYSLOG information generated in the standalone state is "%VSU-5-DTM_TOPO_CVG:Node discovery
done. Topology converged." The SYSLOG information generated by the member device numbered 3 is
"%VSU-5-DTM_TOPO_CVG:(3) Node discovery done. Topology converged."
5.4 Configuration
Changing the VSU (Optional) It is used to change the VSU mode to the standalone mode.
Mode to the
switch convert mode Changes the VSU mode to the standalone
Standalone Mode
standalone mode.
Start up the switch in the standalone mode to set relevant VSU parameters to establish the VSU system.
Configuration Steps
A switch starts in the standalone mode by default. You need to set the same domain ID on the two chassis of the
established VSU system. The domain ID must be unique within the local area network (LAN). Furthermore, you need to
set the ID of each chassis in the VSU.
Run the switch virtual domain domain_id command to configure the domain ID. This command is mandatory.
Run the switch switch_id command to configure the device ID in the VSU. This command is mandatory. For devices
with the same priorities in the VSU system, a device with the smallest device ID is selected as the global master device.
Run the switch switch_id priority priority_num command to configure the device priority. This command is mandatory.
The value ranges from 1 to 255. A larger value means a higher priority.
Configuration Guide Configuring VSU
Run the switch switch_id description switch1 command to configure the device alias. This command is optional. The
default name is Ruijie. For easy identification of devices in the network environment, this item can be selected to set the
device alias.
The command used for configuring a priority can modify the priority only rather than modify a switch ID. Therefore, you
must enter the current switch ID correctly for the configuration. For example, you have set the switch ID to 1. If you
enter switch 2 priority 100, the priority configuration cannot take effect.
To establish the VSU system, you need to decide which ports are configured as the VSL member ports.
Run the vsl-port command to enter the VSL interface configuration mode. This command is mandatory.
Run the port-member interface interface-name [copper | fiber ] command to add a VSL interface. This command is
mandatory.
When the device enters the VSL interface configuration mode, the VSL interface can be configured or deleted.
Command vsl-port
Parameter N/A
Description
Defaults N/A
Command Global configuration mode
Mode
Usage Guide You can run this command in the standalone or VSU mode.
Gigabit interface can be an opto-copper interface. If the media type is not specified, the Gigabit copper
interface is adopted by default.) For an opto-copper interface, you must specify its optical or copper interface
attribute. A VSL interface for a chassis device must be a 10 Gigabit interface.
You can run this command in the VSU mode or standalone mode. The command can take effect after the
command configuration is saved and the device where the VSL member interface resides is restarted.
In the standalone mode, the VSL configurations cannot take effect immediately unless the device shifts into the VSU
mode and restart.
Run the switch crc command to configure error frame check. This command is optional. Run this command to modify
the default method for checking error frames.
If error frames are found on a VSL interface, perform error frame correction. The system detects the VSL interfaces
every 5 seconds by default. If the number of error frames is greater than 3 as compared with that detected last time, it is
assumed that error frames are detected once. If error frames are detected consecutively for 10 times, it is assumed that
the interface is abnormal. If multiple VSL links are available when error frames are detected, the VSL will be switched.
The last VSL will not be switched in order to prevent topology splitting.
Different products have different requirements for error frame check and different processing for VSL interfaces. In
version 11.0, error frame check is configurable.
Use the switch convert mode virtual command to change the standalone mode to the VSU Mode.
In the standalone mode, the software will take the following actions after you run the switch convert mode virtual
command.
Back up the global configuration file config.text in the standalone mode as standalone.text for subsequent use.
Configuration Guide Configuring VSU
Write the relevant VSU configurations to the special configuration file config_vsu.dat.
If there is a virtual_switch.text file on the switch, the system will prompt you whether to overwrite the contents of the file
virtual_switch.text to the file config.text (the file virtual_switch.text is a backup file for the file config.text when the switch
shifts from the VSU mode to the standalone mode). Then you can click Yes or No. Finally the switch restarts in the VSU
mode and reads VSU parameters in the file config_vsu.dat.
This command does not take effect on the switch in the VSU mode.
Verification
Run the show switch virtual config [ switch_id ] command to check the VSU configuration of the current switch in the
standalone mode.
The relevant VSU configurations are set for a single physical switch and the configurations are stored in the special
configuration file config_vsu.dat. Therefore, you can view the current VSU configurations by running the show switch
virtual config command rather than the show running config command.
In the standalone mode, the VSU running information is null. When you enter commands such as show switch virtual, the
system will prompt you that the switch is in the standalone mode and there is no VSU running information.
Configuration Example
Scenario
Figure 5-16
Configuration Guide Configuring VSU
Switch 1 and Switch 2 form a VSU system. The domain ID is 100. The chassis on the left side is configured
as Chassis 1, with the priority of 200, alias of Switch 1, and the VSL interfaces of 1/1 and 1/2. The chassis
on the right side is configured as Chassis 2, with the priority of 100, alias of Switch 2, and the VSL interfaces
of 1/1 and 1/2.
Ruijie(config-vs-domain)#switch 1
Ruijie(config-vs-domain))#exit
Ruijie(config)#vsl-port
Ruijie(config)#exit
Switch-2
Ruijie# configure terminal
Ruijie(config-vs-domain)# switch 2
Ruijie(config-vs-domain))#exit
Ruijie(config)#vsl-port
Ruijie(config-vsl-port)#exit
Verification Run the show switch virtual config command to view the VSU attributes of Switch 1 and Switch 2.
Switch-1
Ruijie#show switch virtual config
switch 1
Switch-2
Ruijie#show switch virtual config
switch 2
!
Configuration Guide Configuring VSU
Common Errors
Configuration Effect
During the VSU system running, you can modify the parameters, such as domain ID, switch ID, and priority of the master
device or the slave device. However, you can only log in to the VSU master device console to modify these parameters, but
cannot enter the global configuration mode from the slave device console.
Notes
Among the commands above, the all configuration commands take effect only after the switch restarts except the
switch sw_id description switch1 command that can take effect immediately.
Configuration Steps
Optional.
Run this command in the VSU mode to enter the domain configuration mode. Switches with the same domain ID form a
VSU system. You can modify or configure the domain ID, switch priority, and switch ID only after entering the domain
configuration mode in the VSU mode.
LAN.
Optional.
To modify the value of domain_id for a device, you can configure this item on the master device console of the VSU
system.
Optional.
To modify the value of switch_id for a device, you can configure this item on the master device console of the VSU
system.
Optional.
To modify the priority of a device, you can configure this item on the master device console of the VSU system.
A larger value means a higher priority. Select the device with the highest priority as the master device.
Command switch switch_id priority priority_num
Parameter switch_id: Indicates a switch ID for which a priority needs to be configured.
Description priority_num: Indicates the switch priority, ranging from 1 to -255 for box switches.
Defaults The default priority is 100.
Command Domain configuration mode
Configuration Guide Configuring VSU
Mode
Usage Guide A larger value means a higher priority. Select the device with the highest priority as the master device.
You can run this command in the standalone or VSU mode. The modified priority takes effect only after you
restart the device.
This command is not used to modify the value of switch_id. In the standalone mode, if switch_id is set to 1,
running the switch 2 priority 200 command does not work. You can first set switch_id to 2 and then run
the switch 2 priority 200 command. In the VSU mode, switch_id indicates the ID of the currently running
switch. If the ID does not exist, the configuration does not take effect.
Optional.
To configure the description for a device, you can configure this item on the master device console of the VSU system.
Run the switch switch_id description switch1 command to configure the device description. A maximum of 32
characters are allowed.
Optional.
Run the switch crc errors error_num times time_num command to configure the conditions for triggering error frame
check.
Run the exit command to exit from the virtual device configuration mode and run the write command to save the
configurations to the config_vsu.dat file.
Verification
Use the show switch virtual [ topology | config ] command to display the current VSU running information, topology or
configuration parameters.
Configuration Example
Scenario
Figure 5-17
Switch 1 and Switch 2 form a VSU system. Modify the chassis ID of Switch 2 to 3 and its priority to 150.
Assume that Switch 1 is the global master switch and perform the configuration on the global master switch.
Verification Run the show switch virtual config command for verification.
Switch-1
Ruijie#show switch virtual config
!
Configuration Guide Configuring VSU
switch 1
switch 3
Configuration Effect
When switches form a VSU system or when the VSU system is running, you can shift between common interfaces and VSL
interfaces. However, you can only log in to the master device console of the VSU system for modification, but cannot enter
the global configuration mode from the slave device console.
Notes
Configuration Guide Configuring VSU
You can log in to the console of the VSU system by using a serial port or telnet, in order to add or delete the
configurations of VSL member interfaces.
To prevent incorrect connections in actual scenarios, the VSL AP uses dynamic negotiation. You need to configure the
VSL interface pool first, and then add the VSL interface pool to the same AP after successful negotiation. Interfaces
connecting to the same device are within the same AP.
Configuration Steps
Run the vsl-port command to enter the VSL-PORT configuration mode. This command is optional.
When the device enters the VSL-PORT configuration mode, the VSL interface can be configured or deleted.
Command vsl-port
Parameter N/A
Description
Defaults N/A
Command Global configuration mode
Mode
Usage Guide You can run this command in the standalone or VSU mode.
Run the port-member interface interface-name [ copper | fiber ] command to add a VSL interface. This command is
optional.
During the VSU system running, the configured VSL member links take effect immediately. VSL interfaces need to be
configured for all devices.
For chassis devices, VSL interfaces must be optical interfaces of 10 Gigabit or higher; for box devices, VSL interfaces can be
optical and copper interfaces of Gigabit or higher.
For a 40G port (no matter whether splitting is performed for the interface), its member interfaces (namely, four 10G
interfaces) cannot be shifted to VSL member interfaces.
If an interface has been configured as an NLB reflex interface, this interface can be shifted to a VSL member interface
only after the NLB reflex interface configuration is deleted.
To prevent a loop that may occur when a VSL member interface exits from the VSL AP, the system automatically sets
the member interface to the shutdown state when the command is executed to make the VSL member interface exit
from the VSL AP. After the VSL member interface exits from the VSL AP, you can reconnect the link and run the no
shutdown command to enable this interface again. When you configure a VSL interface, the system will shut it down
first. If the configuration fails and you want to use it as a common interface, you can run the no shutdown command to
enable this interface again. Add a member interface number that must be a three-dimensional interface number. For
example, in the VSL-PORT configuration mode, if you run the port-member interface Tengigabitethernet 1/1/1
command, it indicates that you configure the global three-dimensional interface 1/1/1 as a VSL interface.
If VSU topology splitting occurs when you change a VSL interface to a common interface, the VSL interface cannot be
deleted. You can disconnect the physical interface first and then delete the VSL interface.
Verification
Use the show switch virtual link [ port ] to display the current VSL link running information in the VSU mode.
Configuration Example
Scenario
Figure 5-18
Configuration Add interface 1/1/3 as the VSL interface for Switch 1 and delete interface 1/1/2 from the VSL interface.
Steps
Switch-1
Ruijie#config
Ruijie(config)# vsl-port
Verification Run the show switch virtual config command to view the VSL. Assume that Switch 1 is the global
master switch and run the command on the global master switch.
Switch-1
Ruijie#show switch virtual config
switch 1
switch 3
Configuration Effect
Configure the relevant detection mechanism to prevent the dual-active is being generated.
Notes
The DAD can be configured only in the VSU mode. You are not allowed to configure the DAD mechanism in the
standalone mode.
All DAD configurations will take effect immediately after being configured on the master or slave devices in global
configuration mode by running the show running-config command.
The BFD-detected configuration information can be displayed only by running the dual-active detection display
command rather that the BFD display command.
Configuration Steps
The BFD DAD requires establishing a directly connected link between two switches. The interfaces on the two ends
must be physical routing interfaces. The following configuration must be performed on both chassis.
Enter the interface configuration mode of the DAD interface and configure the DAD interface as a routing interface.
After exiting from the interface configuration mode, run the switch virtual domain domain_id command to enter the
domain configuration mode.
In the domain mode, run the dual-active detection bfd command to enable BFD. This command is optional and can be
used when BFD DAD needs to be configured.
In the domain configuration mode, run the dual-active bfd interface interface-name command to configure the BFD
DAD interface. This command is optional and can be used to configure the BFD DAD interface when BFD DAD is
configured.
Delete the BFD DAD interface. If no BFD DAD interface is available, BFD detection cannot be used.
The BFD detection interfaces must be directly connected physical routing ports. The two ports must be on different devices.
The interface type is not limited. The dual-active detection link is only used to transmit BFD packets with a small amount of
traffic. Therefore, you are advised to adopt the Gigabit interface or 100 M interface as the dual-active detection interface.
After the layer 3 routing interface that is configured with two master devices is converted into a layer 2 switch interface (run
the switchport command under this interface), the BFD dual-active detection will be cleared automatically.
You are advised to directly connect BFD detection interfaces only to the master and slave devices.
When the VSU system detects dual-active conflict and brings another VSU group to the recovery state, you can resolve
the problem only by rectifying the VSL fault, but not directly restoring the VSU group in the recovery state; otherwise,
dual-active conflict may be caused on the network.
To configure the AP-based DAD, you must configure an aggregate port (AP) first and then specify the AP port as the
DAD interface.
Run the port-group ap-num command to add a physical member interface to the AP.
After entering the domain configuration mode, run the dual-active detection aggregateport command to enable AP
detection mode. This command is optional. You can run this command when AP detection needs to be configured.
Run the dual-active interface interface-name command to configure the AP as the DAD interface. This command is
optional. Yu can run this command to configure the AP as the DAD interface when AP detection needs to be configured.
Run the dad relay enable command to enable dual-active detection packet relay for upstream and downstream
interfaces. This command is optional. You can run this command to relay DAD packets (dual-active detection packets)
when AP-based DAD is configured.
Delete the detected interface. If no AP-based DAD interface is available, AP-based DAD cannot be used.
You are advised to distribute the physical interfaces that are added to the AP-based detection interface to different
devices.
When two master devices are detected, one of them must enter the recovery mode. In the recovery mode, you need to
disable all service interfaces. For some special usages (for example, configuring a management switch from which you
can log in to a remote interface), you can set some ports to excluded interfaces that are not disabled in the recovery
mode.
In the domain configuration mode, run the dual-active exclude interface interface-name command to specify an
excluded interface that will not be disabled in the recovery mode. This command is optional.
Description
Defaults N/A
Command Domain configuration mode
Mode
Usage Guide Configure this command only in the VSU mode. An excluded interface must be a routing interface instead of
a VSL interface. You can configure multiple excluded interfaces.
After the excluded interface is converted from a routing one into a switch interface (run the switchport command under
this interface), the configurations of the excluded interface that is associated with this interface will be cleared
automatically.
Verification
Use the show switch virtual dual-active { aggregateport | bfd | summary } to display the current DAD configuration.
Configuration Example
Scenario
Figure 5-19
Switch 1 and Switch 2 form a VSU (The domain ID is 1) system. The priorities of Switch 1 and Switch 2
are 200 and 150 respectively. The links between Te1/3/1 and Te1/3/2 of Switch 1 and Te2/3/1 and
Te2/3/2 of Switch 2 are established respectively to form a VSL between Switch 1 and Switch 2. The
G0/1, G0/2, G0/3 and G0/4 interfaces of Switch A are connected to G1/1/1 and G1/2/1 of Switch 1 and
G2/1/1 and G2/2/1 of Switch 2 to form an AP group including four member links. The ID of the AP
Configuration Guide Configuring VSU
group is 1. All members of AP group 1 are Gigabit optical interfaces. G1/1/2 and G2/1/2 are routing
interfaces.
G1/1/2 and G2/1/2 are a pair of BFD DAD interfaces.
Since Switch 1 and Switch 2 are in a VSU system, the preceding configuration can be performed on either
Switch 1 or Switch 2. on the following example configures the functions on Switch 1.
Switch 1
Ruijie(config)# interface GigabitEthernet 1/1/2
Switch A
Ruijie# configure terminal
Ruijie(config-if-vlan 1)#exit
Ruijie(config)#interface aggregateport 1
GigabitEthernet 1/1/2: UP
GigabitEthernet 2/1/2: UP
Common Errors
Configuration Effect
In the VSU system, if egresses are distributed on multiple devices, the Local Forward First (LFF) can be configured.
Notes
Configuration Steps
In the domain configuration mode, run the switch virtual aggregateport-lff enable command to enable the AP LFF
mode. This command is optional.
The member ports of AP can be distributed on two chassis of the VSU system. You can configure whether the AP
egress traffic is forwarded through local member ports first based on actual traffic conditions.
If this function is disabled, traffic is forwarded based on the AP configuration rules. For details, see the Configuring
Aggregate Port.
In the domain configuration mode, run the switch virtual ecmp-lff enable command to enable the ECMP LFF mode.
This command is optional.
The Equal-Cost MultiPath (ECMP) routing egress can be distributed on two chassis of the VSU system. You can
configure whether the ECMP egress traffic is forwarded through local member ports first based on actual traffic
conditions.
If this function is disabled, traffic is forwarded based on the ECMP configuration rules. For details, see the Configuring
Aggregate Port.
In the VSU mode, the across-chassis AP LFF mode and the ECMP LFF mode are disabled by default.
To deploy a VSU system for layer-3 switches, you are advised to configure the IP-based AP load balancing (src-ip,
dst-ip abd src-dst-ip).
Verification
Use the show switch virtual balance command to display the current traffic balancing mode of the VSU system.
Configuration Example
Scenario
Figure 5-20
In Figure 5-20, Switch 1 and Switch 2 form a VSU system. It is assumed that Switch 1 is the global master
switch and configuration is performed on Switch 1.
Configuration Guide Configuring VSU
Verification Run the show switch virtual balance command for verification.
Switch-1
Ruijie#show switch virtual balance
Configuration Effect
Dismiss the VSU system into individual devices that can operate in the standalone mode.
Configuration Steps
Run the switch convert mode standalone [switch_id] command to change the VSU mode to the standalone mode.
This command is optional.
After you run this command, the system will prompt you as follows: Whether to restore the configuration file to
standalone text? If yes, the configuration file will be restored; if no, the configuration of virtual device mode will be
cleared.
ID specified by sw_id. If the command does not contain the sw_id parameter, the mode switching is
performed on the master switch. You are advised to switch the mode of the slave switch and then that of the
master switch.
Configuration Example
Scenario
Figure 5-21
In Figure 5-21, it is assumed that Switch 1 and Switch 2 form a VSU system and Switch 1 is the global
master switch.
Verification Run the show switch virtual config command to display the switch status.
Switch-1
Ruijie#show switch virtual config
switch 1
!
Configuration Guide Configuring VSU
switch 2
5.5 Monitoring
Displaying
Description Command
Displays the current VSU operation, topology or configuration. show switch virtual [ topology | config | role ]
Displays the current dual-active configuration. show switch virtual dual-active { bfd | aggregateport |
summary }
Displays the current VSL running information in the VSU mode. show switch virtual link [ port ]
Redirects to the console of the master switch or any switch. session { device switch_id | master }
Displays the current switch ID. show switch id
Configuration Guide Configuring VRRP
6 Configuring VRRP
6.1 Overview
VRRP adopts the master-backup design to ensure migration of functions from a Master router to a Backup one when the
Master failed, without influencing internal and external data communication or modifying Local Area Network (LAN)
configuration. A VRRP group maps multiple routers into a virtual router. VRRP ensures only one router at a moment on
behalf of a virtual router transfers packets, which is the elected Master. If the Master fails, one of the Backup routers will
replace it. Under VRRP, it seems that a host in a LAN uses only one router and the routing remains functional even when the
first-hop router fails.
VRRP is applicable to LAN scenarios which require the redundancy of routing egresses.
RFC5798: Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6
6.2 Applications
Application Description
Routing Redundancy Configure routers in a LAN as one VRRP group to achieve simple routing
redundancy.
Load Balancing Configure routers in a LAN as multiple VRRP groups to achieve traffic load balancing.
Configure routers in a LAN as one VRRP group, where hosts take the virtual IP address of this group as the default gateway
address.
Packets from Host 1, Host 2 and Host 3 to other networks are forwarded by the elected Master router (Router A in
Figure 6-1).
If Router A fails, the Master will be re-elected between Router B and Router C to forward packets, achieving simple
routing redundancy.
Figure 6-1
Configuration Guide Configuring VRRP
Deployment
Router A, Router B and Router C are connected to the LAN via Ethernet interfaces.
On Router A, Router B and Router C, VRRP is configured on the Ethernet interfaces connected to the LAN.
These Ethernet interfaces are in the same VRRP group whose virtual IP address is 192.168.12.1.
The gateway address for Host 1, Host 2 and Host 3 is the IP address of the VRRP group, namely 192.168.12.1.
Configure routers in a LAN as multiple VRRP groups. Hosts in the LAN take virtual IP addresses of the groups as their
gateways, and each router backs up for other routers in different group.
Packets from Host 1 and Host 2 to other networks with the default gateway address as the virtual IP address of virtual
router 1 are forwarded by the Master of virtual router 1 (Router A in Figure 6-2).
Packets from Host 3 and Host 4 to other networks with the default gateway address as the virtual IP address of virtual
router 2 are forwarded by the Master of virtual router 2 (Router B in Figure 6-2).
Routing redundancy is achieved on Router A and Router B, and the LAN traffic is shared to achieve load balancing.
Figure 6-2
Configuration Guide Configuring VRRP
Deployment
Router A and Router B are connected to the LAN via Ethernet interfaces.
On Router A and Router B, two virtual routers are configured on the Ethernet interfaces connected to the LAN.
Router A takes the IP address 192.168.12.1 of Ethernet interface Gi0/0 as the IP address of virtual router 1. Thus for
virtual router 1, Router A becomes the Master and Router B becomes the Backup.
Router B takes the IP address 192.168.12.2 of Ethernet interface Gi0/0 as the IP address of virtual router 2. Thus for
virtual router 2, Router B becomes the Master and Router A becomes the Backup.
In the LAN, Host 1 and Host 2 take the IP address 192.168.12.1 of virtual router 1 as the default gateway address, while
Host 3 and Host 4 take the IP address 192.168.12.2 of virtual router 2 as the default gateway address.
6.3 Features
Basic Concepts
Virtual Router
A virtual router, also called a VRRP group, is regarded as a default gateway for hosts in a LAN. A VRRP group contains a
Virtual Router Identifier (VRID) and a set of virtual IP addresses.
Virtual IP Address
Indicates the IP address of a virtual router. A virtual router can be configured with one or multiple IP addresses.
IP Address Owner
If a VRRP group has the virtual IP address as that of an Ethernet interface on one real router, the router is regarded as the
virtual IP address owner. In such case, the router priority is 255. If the owned Ethernet interface is available, the VRRP group
will be in Master state automatically. The IP address owner receives and processes the packets with the destination IP
address as that of the virtual router.
The virtual MAC address of a VRRP group is an IEEE 802 MAC address, formatted as 00-00-5E-00-01-{VRID} with the first
five octets assigned and the last two as a group VRID. A VRRP group responds to an Address Resolution Protocol (ARP)
request with its virtual MAC address instead of a real MAC address.
Master Router
In a VRRP group, only the Master router answers ARP requests and forwards IP packets. If a real router is the IP Address
Owner, it becomes the Master router.
Backup Router
In a VRRP group, Backup routers only monitor the state of the Master but do not respond to ARP requests or forward IP
packets. When the Master fails, Backup routers will take the chance to compete for the position.
Preemption Mode
If a VRRP group runs in Preemption mode, a higher priority Backup router will replace the lower priority Master router.
Overview
Feature Description
VRRP VRRP achieves redundancy for the default gateways of terminals on a multi-access media (for
example, Ethernet). It enables a Backup router to forward packets when the Master router is down,
providing transparent routing switch and promoting network service quality.
6.3.1 VRRP
In case that the Master router is faulty, VRRP achieves migration of functions from the Master router to a Backup one without
influencing internal and external data communication or modifying LAN configuration.
Working Principle
The RFC2338, RFC3768 and RFC5798 protocols define the format and operating mechanism of VRRP packets. Multicast
VRRP packets are sent periodically with specified destination addresses by the Master router to advertise normal operation
or for Master election. VRRP allows a router in a LAN to automatically replace the Master who forwards IP packets when the
latter fails. This helps achieve hot backup and fault tolerance of IP-based routing as well as ensure communication continuity
and reliability for hosts in the LAN. A VRRP group achieves redundancy through multiple real routers. However, only one
router acts as the Master to forward packets while the others are Backup routers. Router switching in a VRRP group is
completely transparent to hosts in a LAN.
VRRP provides a simple mechanism for Master election. First, compare the VRRP priorities configured on the
interfaces of the routers in a VRRP group. The router with the highest priority is elected as the Master. If these priorities
are equal, compare the primary IP addresses of these routers. The router with the biggest IP address is elected as the
Master.
After the Master router is elected, the other routers become Backup routers (and enter the Backup state) and monitor
the state of the master router through the VRRP packets the master router sends. If the master router is operational, it
regularly sends VRRP multicast packets known as Advertisement packets to notify the Backup routers of its status. If
the Backup routers do not receive such packets within a set period, all of them will enter the Master state. In such case,
the previous step of Master election is repeated. In this way, a router with the highest priority will be elected as a new
master, achieving VRRP backup.
Once the Master router of a VRRP group is elected, it is responsible to forward packets for hosts in a LAN.
Communication Process
The VRRP communication process can be explained by Figure 6-3. The routers R1 and R2 are connected to the LAN
segment 192.168.12.0/24 via the VRRP-enabled Ethernet interfaces Gi0/0. Hosts in the LAN take the virtual IP address of
the VRRP group as the default gateway address. Only the virtual router is recognized by the hosts. The Master router in the
group, however, is unknown. For example, when PC 1 plan to communicate with PC 2, PC 1 sends packets to the default
gateway with the virtual IP address; The Master router in the group receives the packets and forwards them to PC 2. In this
process, PC 1 only senses the virtual router instead of R1 or R2. The Master router in the group is elected between R1 and
R2. When the Master fails, it will be replaced automatically by the other router.
Related Configuration
Enabling VRRP
In the interface configuration mode, run the vrrp group ip ipaddress [ secondary ] or vrrp group ipv6 ipv6-address
command to set the VRID and virtual IP address to enable VRRP.
Run the vrrp group authentication string command to set an authentication string in MD5 authentication mode or a plain
text password in plain text mode for an IPv4 VRRP group. In the plain text authentication mode, a password contains 8 bytes
at most.
Members of a VRRP group can communicate with each other only when they are in the same authentication mode. In the
plain text authentication mode, all routers in a VRRP group should have the same authentication password. The plain text
authentication password cannot guarantee security but only prevents/prompts wrong VRRP configurations.
Run the vrrp [ ipv6 ] group timers advertise { advertise-interval | csec centisecond-interval } command to change the
interval.
When VRRP learning timer is not configured, the same advertisement interval should be set for a VRRP group, otherwise
routers in Backup state will discard received VRRP packets.
To enable the Preemption mode for a VRRP group, run the vrrp [ ipv6 ] group preempt [ delay seconds ] command. The
optional parameter delay seconds is 0 by default.
If a VRRP group operates in the Preemption mode, a router will become the Mater of the group when it finds that its priority is
higher than that of the current Master. If a VRRP group operates in Non-preemption mode, a router will not become the
Master even when it finds that its priority is higher than that of the current Master. It makes little sense to configure the
Preemption mode when the VRRP group uses the IP address of an Ethernet interface, in which case the group has the
highest priority and automatically becomes the Master in the group. The optional parameter Delay Seconds defines the delay
before a backup VRRP router declares its Master identity.
To enable the Accept mode, run the vrrp ipv6 group accept_mode command.
After the Accept mode is enabled, an IPv6 VRRP virtual router in Master state receives and processes packets with the
virtual router IP address as the destination; when the Accept mode is disabled, the virtual router discards such packets
except Neighbor Advertisement (NA) packets and Neighbor Solicitation (NS) packets. Besides, an IPv6 VRRP master virtual
router in Owner state receives and processes packets with the virtual router IP address as the destination by default no
matter whether the Accept mode is configured or not.
To adjust the priority, run the vrrp [ ipv6 ] group priority level command.
Configuration Guide Configuring VRRP
If a router in the Preemption mode owns the group’s virtual IP address and the highest priority, it becomes the group Master,
while the other routers with lower priorities in the group become Backup (or monitoring) routers.
To configure such an interface, run the vrrp group track { interface-type interface-number } [ priority ] or vrrp ipv6 group
track interface-type interface-number [ priority ] command.
After an interface is configured for a VRRP group to monitor, the router priority will be adjusted dynamically based on the
interface state. Once the interface becomes unavailable, the priority of the router in the group will be reduced by a set value,
and another functional and higher priority router in this group will become the Master.
To trace the link layer protocol status of an interface, the link parameter needs to be configured. Otherwise, the network
layer protocol status of the interface is traced.
To configure such an address, run the vrrp group track ip-address [ interval interval-value ] [ timeout timeout-value ] [ retry
retry-value ] [ priority ] or vrrp ipv6 group track { ipv6-global-address | { ipv6-linklocal-address interface-type
interface-number } } [ interval interval-value ] [ timeout timeout-value ] [ retry retry-value ] [ priority ] command.
After an IP address is configured for a VRRP group to monitor, the router priority will be adjusted dynamically based on the
address accessibility. Once the address is inaccessible (the ping command fails), the priority of the router in the group will be
reduced by a set value, and another higher priority router in this group will become the Master.
To enable it, run the vrrp [ ipv6 ] group timers learn command.
After the learning timer is configured, a VRRP Backup router learns the advertisement interval of NA packets from the Master.
Based on this instead of a locally set interval, the Backup router calculates the interval for determining a failure of the Master.
This command achieves the synchronization of advertisement intervals between Backup routers and the Master.
To configure such a string, run the vrrp [ ipv6 ] group description text command.
A VRRP description helps distinguishing VRRP groups. A description has 80 bytes at most, otherwise wrong configuration is
prompted.
To enable it, run the vrrp delay { minimum min-seconds | reload reload-seconds } command. The two types of delay range
from 0 to 60 seconds.
The command configures the delay of starting a VRRP group on an interface. There are two types of VRRP delay: the delay
after system startup and the delay after an interface resumes. You may configure them respectively or simultaneously. After
the delay is configured for a VRRP group on an interface, the VRRP group starts after the delay instead of immediately upon
system startup or the interface's resumption, ensuring non-preemption. If the interface receives a VRRP packet during the
delay, the delay will be canceled and the VRRP will be started immediately. This configuration will be effective for both IPv4
and IPv6 VRRP groups of an interface.
To specify the version for IPv4 VRRP, run the vrrp group version { 2 | 3 } command.
When the parameter value is set to 2, VRRPv2 is adopted; when the parameter value is set to 3, VRRPv3 is adopted.
6.4 Configuration
Configure a VRRP group on an interface of a specific LAN segment by setting the VRID and virtual IP address.
Configure multiple VRRP groups on an interface to achieve load balancing and offer more stable and reliable network
services.
Configure the VRRP tracked interfaces to monitor real-time failures, change interface priorities and realize
master-backup failover dynamically.
Notes
Configuration Guide Configuring VRRP
To achieve VRRP, the routers in a VRRP group should be configured with the same virtual IPv4 address.
To achieve mutual backup between multiple IPv4 VRRP groups, configure multiple IPv4 VRRP groups with identical
VRRP configuration on different interface and configure different priorities for them so that they act as the master and
backup groups mutually.
Configuration Steps
By default, IPv4 VRRP is disabled on an interface. You can enable it based on your demand.
By default, VRRP is in non-authentication mode. You can enable plain text authentication mode based on your demand.
By default, the Master router sends advertisement packets every one second. You can modify the interval based on
your demand.
The default router priority for a VRRP group is 100. You can modify the priority based on your demand.
By default, an IPv4 VRRP group monitors no interface and the value of priority change is 10. To achieve fault
monitoring through interface monitoring, please configure this item.
By default, the learning timer is disabled for a VRRP group. Enable this function if the Backup routers need to learn the
Master’s advertisement interval.
By default, no description is configured for a VRRP group. To distinguish VRRP groups clearly, configure descriptions.
By default, the IPv6 VRRP delay is not configured. To guarantee an effective non-preemption mode, configure the
delay.
By default, IPv4 adopts the VRRPv2 standard. To change it, use the corresponding command.
Configuration Guide Configuring VRRP
Verification
Related Commands
Authentication is abolished for VRRPv3 (IPv4 VRRP and IPv6 VRRP) packets. If VRRPv2 is chosen for an
IPv4 VRRP group, the command is effective; if VRRPv3 is chosen, the command is ineffective.
maximum advertisement interval is 40 seconds. Therefore, if the interval is set longer than 40 seconds, this
maximum interval will be applied, though the configuration is effective.
Command vrrp group track ipv4-address [ interval interval-value ] [ timeout timeout-value ] [ retry retry-value ]
[ priority ]
Parameter group: Indicates the VRID of a VRRP group.
Description ipv4-addres: Indicates the IPv4 address to be tracked.
Configuration Guide Configuring VRRP
interval interval-value: Indicates the probe interval. The unit is second. Unless configured manually, the
value is 3 seconds by default.
timeout timeout-value: Indicates the probe timeout of waiting for responses. If no response is received
when the timeout is up, it is regarded that the destination is inaccessible. The unit is second. Unless
configured manually, the value is 1 second by default.
retry retry-value: Indicates the probe retries. If the probe packet is sent continually for retry-value times but
no response is received, it is regarded that the destination is inaccessible. The unit is times. Unless
configured, the value is 3 times by default.
priority: Indicates the scale of VRRP priority change when the state of a monitored interface changes. The
default value is 10.
Command Interface configuration mode
Mode
Usage Guide To monitor a host, specify its IPv4 address for an IPv4 VRRP group.
If a VRRP group owns the actual IP address of an Ethernet interface, the group priority is 255, and no
monitored IP address can be configured.
Configuration Example
Scenario
Figure 6-4
Configuration The cluster of Work Station A and Work Station B (192.168.201.0/24) uses the virtual IP address
Steps 192.168.201.1 of the VRRP group constituted by the routers R1 and R2 as the gateway address to
Configuration Guide Configuring VRRP
R3(config-if-GigabitEthernet 0/0)#exit
R3(config-if-GigabitEthernet 1/1)#exit
R3(config-if-GigabitEthernet 2/1)#exit
R3(config)#router ospf
R1
R1#configure terminal
R1(config-if-GigabitEthernet 0/0)#exit
Configuration Guide Configuring VRRP
R1(config-if-GigabitEthernet 2/1)#exit
R1(config)#router ospf
R2
R2#configure terminal
R2(config-if-GigabitEthernet 0/0)#exit
R2(config-if-GigabitEthernet 1/1)#exit
R2(config)#router ospf
State is Master
Preemption is enabled
Priority is 120
R2
R2#show vrrp
State is Backup
Preemption is enabled
Priority is 100
Common Errors
Different virtual IP addresses are configured on the routers in a VRRP group, resulting in multiple Master routers in the
group.
Different VRRP advertisement intervals are configured on the routers in a VRRP group and the learning timer is not
configured, resulting in multiple Master routers in the group.
Different VRRP versions are configured on the routers in a VRRP group, resulting in multiple Master routers in the
group.
For VRRPv2, the Ethernet interfaces of the routers in a VRRP group are all in plain text authentication mode but
inconsistent in authentication strings, resulting in multiple Master routers in the group.
Configuration Example
Scenario
Figure 6-5
Configuration The user workstation cluster (192.168.201.0/24) uses the backup group constituted by the routers R1
Steps and R2. The gateway for partial workstations (A for example) points to the virtual IP address
192.168.201.1 of the backup group 1, while that for other partial workstations (C for example) points to
the virtual IP address 192.168.201.2 of the backup group 2. IPv4 multicast routing is enabled on all the
routers.
R1 acts as the master router in the group 2 and as a backup router in the group 1.
R2 acts as a backup router in the group 2 and as a master router in the group 1.
R3
R3#configure terminal
R3(config-if-GigabitEthernet 0/0)#exit
R3(config-if-GigabitEthernet 1/1)#exit
R3(config-if-GigabitEthernet 2/1)#exit
R3(config)#router ospf
R1
R1#configure terminal
R1(config-if-GigabitEthernet 0/0)#exit
R1(config-if-GigabitEthernet 2/1)#exit
R1(config)#router ospf
R2
R2#configure terminal
R2(config-if-GigabitEthernet 0/0)#exit
R2(config-if-GigabitEthernet 1/1)#exit
R2(config)#router ospf
State is Backup
Preemption is enabled
Priority is 100
State is Master
Preemption is enabled
Priority is 120
R2
R2#show vrrp
State is Master
Preemption is enabled
Priority is 120
State is Backup
Preemption is enabled
Priority is 100
Common Errors
Different virtual IP addresses are configured on the routers in a VRRP group, resulting in multiple Master routers in the
group.
Different VRRP advertisement intervals are configured on the routers in a VRRP group and the learning timer is not
configured, resulting in multiple Master routers in the group.
Different VRRP versions are configured on the routers in a VRRP group, resulting in multiple Master routers in the
group.
For VRRPv2, the Ethernet interfaces of the routers in a VRRP group are all in plain text authentication mode but
inconsistent in authentication strings, resulting in multiple Master routers in the group.
Configure an IPv6 VRRP group on an interface of a specific LAN segment by setting the VRID and virtual IPv6 address.
Configure multiple IPv6 VRRP groups on an interface to achieve load balance and achieve more stable and reliable
network services.
Configure the VRRP tracked interfaces to monitor real-time failures, change interface priorities and realize
master-backup failover dynamically.
Notes
To achieve VRRP, the routers in a VRRP group should be configured with the same virtual IPv6 address.
To achieve mutual backup for multiple IPv6 VRRP backup groups, you need to configure multiple IPv6 VRRP groups
with identical VRRP configuration on an interface and configure different priorities for them to make routers master and
backup mutually.
Configuration Steps
By default, IPv6 VRRP is not enabled on an interface. You can enable it based on your demand.
By default, the Master router sends advertisement packets every one second. You can modify the interval based on
your demand.
Configuration Guide Configuring VRRP
By default, the Accept mode is disabled for an IPv6 VRRP group. To require an IPv6 VRRP VRRP group in Master state
to receive and process packets with the destination IP address as that of the virtual router, enable Accept mode.
The default router priority for a VRRP group is 100. You can modify the priority based on your demand.
By default, no tracked interface is configured. You can modify the interval based on your demand.
By default, no tracked IPv6 address is configured and the value of priority change is 10. You can configure this function
based on your demand.
By default, the learning timer is disabled for a VRRP group. Enable this function if the Backup routers need to learn the
Master’s advertisement interval.
By default, no description is configured for a VRRP group. To distinguish VRRP groups clearly, configure descriptions.
By default, the IPv6 VRRP delay is not configured. To guarantee an effective non-preemption mode, configure the
delay.
Verification
Related Commands
link-local address, which can be deleted only after other virtual addresses.
Usage Guide To monitor a host, specify its IPv6 address for an IPv6 VRRP group.
If the host IP address being tracked is a link-local address, specify a network interface.
If a VRRP group owns the actual IP address of an Ethernet interface, the group priority is 255, and no
monitored IP address can be configured.
Configuration Example
Scenario
Figure 6-6
Configuration Host A and Host B access the Internet resources through the default gateway 2000::1/64.
Steps Ruijie A and Ruijie B belong to the IPv6 VRRP group 1, and their virtual addresses are 2000::1/64 and
FE80::1 respectively.
Ruijie A tracks the interface GigabitEthernet 0/2 connected to the Internet. When GigabitEthernet 0/2 is
unavailable, Ruijie A reduces its priority and Ruijie B acts as a gateway.
RuijieA
RuijieA#configure terminal
RuijieB
RuijieB#configure terminal
State is Master
FE80::1
2000::1
Accept_Mode is enabled
Preemption is enabled
Priority is 120
RuijieB
RuijieB#show ipv6 vrrp 1
State is Backup
FE80::1
2000::1
Accept_Mode is enabled
Preemption is enabled
Priority is 100
Common Errors
Different virtual IPv6 addresses are configured on the routers in a VRRP group, resulting in multiple Master routers in
the group.
Different VRRP advertisement intervals are configured on the routers in a VRRP group and the learning timer is not
configured, resulting in multiple Master routers in the group.
Configuration Example
Scenario
Figure 6-7
Configuration Host A and Host B access the Internet resources through the gateways 2000::1/64 and 2000::100/64
Steps respectively.
Ruijie A and Ruijie B belong to the IPv6 VRRP group 1, and their virtual addresses are 2000::1/64 and
FE80::1 respectively.
Ruijie A and Ruijie B belong to the backup group 2 of a virtual IPv6 router, and their virtual addresses
are 2000::100/64 and FE80::100 respectively.
Ruijie A and Ruijie B act as gateways and forward flows, being a backup router to each other.
RuijieA
RuijieA#configure terminal
Configuration Guide Configuring VRRP
RuijieB
RuijieB#configure terminal
State is Master
FE80::1
2000::1
Accept_Mode is enabled
Preemption is enabled
Priority is 120
State is Backup
FE80::100
2000::100
Accept_Mode is enabled
Preemption is enabled
Priority is 100
RuijieB
RuijieB#show ipv6 vrrp
State is Backup
FE80::1
2000::1
Accept_Mode is enabled
Preemption is enabled
Priority is 100
State is Master
FE80::100
2000::100
Accept_Mode is enabled
Preemption is enabled
Priority is 120
Common Errors
Different virtual IPv6 addresses are configured on the routers in a VRRP group, resulting in multiple Master routers in
the group.
Different VRRP advertisement intervals are configured on the routers in a VRRP group and the learning timer is not
configured, resulting in multiple Master routers in the group.
Configuration Guide Configuring VRRP
Link-level and gateway-level backup are achieved and network robustness is improved greatly when MTSP and VRRP
are applied simultaneously.
Notes
configure the routers in a VRRP backup group with the same virtual IPv4 address.
Configuration Steps
By default, IPv4 VRRP is not enabled on an interface. To enable IPv4 VRRP, please configure this item.
By default, VRRP is in a non-authentication mode. To enable plain text password authentication for VRRP, please
configure this item.
By default, a master router sends VRRP GWADV packets at an interface of one second. To manually set a value,
please configure this item.
By default, VRRP groups work in the preemption mode with zero-second delay.
The default router priority for a VRRP group is 100. You can modify the priority based on your demand.
By default, an IPv4 VRRP group monitors no interface. To achieve fault monitoring through monitoring an interface,
please configure this item.
By default, timed learning is not enabled for a VRRP backup group. To enable backup routers to learn the VRRP
GWADV packets from a master router, please configure this item.
By default, no description is configured for a VRRP group. To distinguish VRRP groups conveniently, please configure
this item.
By default, the VRRP delay for a VRRP group is not configured. Configure the delay to guarantee a stable transition
from Non-preemption mode to Preemption mode.
By default, the VRRPv2 standard is adopted for IPv4 VRRP packets. To modify it manually, please configure this item.
Verification
Related Commands
Authentication is abolished for VRRPv3 packets. If VRRPv2 is chosen for an IPv4 VRRP group, the
command is effective; if VRRPv3 is chosen, the command is ineffective.
for VRRPv3 packets. If it is configured for VRRPv2 packets, the default interval is one second.
Command Interface configuration mode
Mode
Usage Guide If a router is elected as the Master in a VRRP group, it sends VRRP advertisement packets at the set
interval to announce its VRRP state, priority and other information.
According to the RFC standards, if an IPv4 VRRP group adopts VRRPv3 for sending multicast packets, the
maximum advertisement interval is 40 seconds. Therefore, if the interval is set longer than 40 seconds, this
maximum interval will be applied, though the configuration is effective.
Command vrrp group track ipv4-address [ interval interval-value ] [ timeout timeout-value ] [ retry retry-value ]
[ priority ]
Parameter group: Indicates the VRID of a VRRP group.
Description ipv4-addres: Indicates the IPv4 address to be tracked.
interval interval-value: Indicates the probe interval. The unit is second. Unless configured manually, the
value is 3 seconds by default.
timeout timeout-value: Indicates the probe timeout of waiting for responses. If no response is received
when the timeout is up, it is regarded that the destination is inaccessible. The unit is second. Unless
configured manually, the value is 1 second by default.
retry retry-value: Indicates the probe retries. If the probe packet is sent continually for retry-value times but
no response is received, it is regarded that the destination is inaccessible. The unit is times. Unless
configured, the value is 3 times by default.
priority: Indicates the scale of VRRP priority change when the state of a monitored interface changes. The
default value is 10.
Command Interface configuration mode
Mode
Usage Guide To monitor a host, specify its IPv4 address for an IPv4 VRRP group.
If a VRRP group owns the actual IP address of an Ethernet interface, the group priority is 255, and no
monitored IP address can be configured.
Configuration Example
Configuring VRRP+MSTP
Scenario
Figure 6-8
Configuration Enable MSTP on routers (switches A, B, C, D, E and F in this example). Configure VLAN-Instance
Steps mapping (mapping VLAN 10 and VLAN 20 to Instance 1, VLAN 30 and VLAN 40 to Instance 2, and the
Configuration Guide Configuring VRRP
rest VLANs to Instance 0), and configure gateways (Switch A and Switch B in this example) as the root
bridges of corresponding instances.
Add the SVIs of all VLANs to corresponding VRRP backup groups, and configure gateways as the
master and backup routers for corresponding backup groups See configuration details in the following
table.
Backup Virtual IP
Gateway VLAN ID SVI State
Group Address
SwitchA
//Create VLAN 10, VLAN 20, VLAN 30 and VLAN 40 on Switch A.
SwitchA#configure terminal
SwitchA(config-vlan-range)#exit
//Map VLAN 10 and VLAN 20 to Instance 1, VLAN 30 and VLAN 40 to Instance 2, and the rest VLANs to
Configuration Guide Configuring VRRP
Instance 0.
SwitchA(config-mst)#exit
//On Switch A, configure the priority of MST 0 and MST 1 as 4096, and that of MST 2 as 8192.
//Enabling MSTP
SwitchA(config)#spanning-tree
Enable spanning-tree.
//Configure SVIs of all the VLANs, add the SVIs to corresponding backup groups, and configure virtual
IP addresses for the groups.
SwitchA(config)#interface vlan 10
SwitchA(config-if-VLAN 10)#exit
SwitchA(config)#interface vlan 20
SwitchA(config-if-VLAN 20)#exit
SwitchA(config)#interface vlan 30
SwitchA(config-if-VLAN 30)#exit
SwitchA(config)#interface vlan 40
SwitchA(config-if-VLAN 40)#exit
Configuration Guide Configuring VRRP
SwitchA(config)#interface vlan 10
SwitchA(config-if-VLAN 10)#exit
SwitchA(config)#interface vlan 20
SwitchA(config-if-VLAN 20)#exit
//Configure the Gi 0/1 port of Switch A as Route Port and its IP address as10.10.1.1/24.
SwitchA(config-if-GigabitEthernet 0/1)#exit
//Configure the Gi 0/1 port of Switch A as a monitored port for VRRP 10 and VRRP 20, and a Priority
decrement of 30.
SwitchA(config)#interface vlan 10
SwitchA(config-if-VLAN 10)#exit
SwitchA(config)#interface vlan 20
SwitchA(config-if-VLAN 20)#exit
//Configure ports Gi 0/2 and Gi 0/3 as AP ports, which are Trunk ports.
SwitchA#configure terminal
SwitchA(config-if-range)#port-group 1
SwitchA(config)#interface aggregateport 1
SwitchB
//Create VLAN 10, VLAN 20, VLAN 30 and VLAN 40 on Switch B.
SwitchB#configure terminal
SwitchB(config-vlan-range)#exit
//Map VLAN 10 and VLAN 20 to Instance 1, VLAN 30 and VLAN 40 to Instance 2, and the rest VLANs to
Instance 0.
SwitchB(config-mst)#exit
//On Switch B, configure the priority of MST 2 as 4096, and that of MST 0 and MST 1 as 8192.
//Enabling MSTP
SwitchB(config)#spanning-tree
Enable spanning-tree.
//Configure SVIs of all the VLANs, add the SVIs to corresponding backup groups, and configure virtual
IP addresses for the groups.
SwitchB(config)#interface vlan 10
SwitchB(config-if-VLAN 10)#exit
SwitchB(config)#interface vlan 20
SwitchB(config-if-VLAN 20)#exit
SwitchB(config)#interface vlan 30
SwitchB(config-if-VLAN 30)#exit
SwitchB(config)#interface vlan 40
SwitchB(config-if-VLAN 40)#exit
SwitchB(config)#interface vlan 30
SwitchB(config-if-VLAN 30)#exit
SwitchB(config)#interface vlan 40
SwitchB(config-if-VLAN 40)#exit
//Configure the Gi 0/1 port of Switch B as Route Port and its IP address as 10.10.1.1/24.
SwitchB(config-if-GigabitEthernet 0/1)#exit
//Configure the Gi 0/1 port of Switch B as a monitored port for VRRP 30 and VRRP 40, and the
Interface-Priority as 30.
SwitchB(config)#interface vlan 30
SwitchB(config-if-VLAN 30)#exit
SwitchB(config)#interface vlan 40
SwitchB(config-if-VLAN 40)#exit
//Configure ports Gi 0/2 and Gi 0/3 as AP ports, which are Trunk ports.
SwitchB (config-if-range)#port-group 1
Verification
Switch A
Check the configuration.
SwitchA#show running-config
Configuration Guide Configuring VRRP
vlan 10
vlan 20
vlan 30
vlan 40
spanning-tree
no switchport
no ip proxy-arp
port-group 1
port-group 1
interface AggregatePort 1
!
Configuration Guide Configuring VRRP
interface VLAN 10
no ip proxy-arp
vrrp 10 ip 192.168.10.1
interface VLAN 20
no ip proxy-arp
vrrp 20 ip 192.168.20.1
interface VLAN 30
no ip proxy-arp
vrrp 30 ip 192.168.30.1
interface VLAN 40
no ip proxy-arp
vrrp 40 ip 192.168.40.1
Interface Grp Pri timer Own Pre State Master addr Group addr
Interface Grp Pri timer Own Pre State Master addr Group addr
Switch B
//Check the configuration.
SwitchB#show running-config
vlan 10
vlan 20
vlan 30
vlan 40
spanning-tree
no switchport
no ip proxy-arp
port-group 1!
port-group 1
interface AggregatePort 1
interface VLAN 10
no ip proxy-arp
vrrp 10 ip 192.168.10.1
interface VLAN 20
no ip proxy-arp
vrrp 20 ip 192.168.20.1
interface VLAN 30
no ip proxy-arp
vrrp 30 ip 192.168.30.1
interface VLAN 40
no ip proxy-arp
vrrp 40 ip 192.168.40.1
Configuration Guide Configuring VRRP
Interface Grp Pri timer Own Pre State Master addr Group addr
Interface Grp Pri timer Own Pre State Master addr Group addr
Common Errors
Different virtual IP addresses are configured on the routers in a VRRP group, resulting in multiple Master routers in
the group.
Different VRRP advertisement intervals are configured on the routers in a VRRP group and the learning timer is
not configured, resulting in multiple Master routers in the group.
Different VRRP versions are configured on the routers in a VRRP group, resulting in multiple Master routers in the
group.
For VRRPv2, the Ethernet interfaces of the routers in a VRRP group are all in plain text authentication mode but
inconsistent in authentication strings, resulting in multiple Master routers in the group.
6.5 Monitoring
Displaying
Description Command
Displays the brief or detailed show [ ipv6 ] vrrp [ brief | group ]
information of IPv4/IPv6 VRRP.
Configuration Guide Configuring VRRP
Displays the information of an show [ ipv6 ] vrrp interface type number [ brief ]
IPv4/IPv6 VRRP group on a specified
interface.
Displays the statistics of VRRP show vrrp packet statistics [ interface-type interface-number ]
packets.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs VRRP errors, events, debug [ ipv6 ] vrrp
packets and status.
Debugs VRRP errors. debug [ ipv6 ] vrrp errors
Debugs VRRP events. debug [ ipv6 ] vrrp events
Debugs VRRP packets. debug vrrp packets [ acl acl-id | [ icmp | protocol ] interface type number [ group ] ]
debug ipv6 vrrp packets [ acl acl-name | [ icmp | protocol ] interface type number
[ group ] ]
Debugs VRRP status. debug [ ipv6 ] vrrp state
Configuration Guide Configuring VRRP Plus
7.1 Overview
Virtual Router Redundancy Protocol Plus (VRRP Plus) is an extension of VRRP. It uses VRRP to implement gateway backup
and load balancing in the IEEE 802.3 local area network (LAN).
A disadvantage of VRRP is that the router in backup state cannot forward packets. To use VRRP to implement load
balancing, you need to manually configure multiple VRRP groups and set the gateway addresses of hosts in the LAN to
virtual IP addresses of different VRRP groups. This increases the workload of the network administrator. VRRP Plus is
designed to address this issue.
With VRRP Plus, load balancing is automatically implemented. That is, traffic of different hosts is automatically distributed to
members of the VRRP Plus group, and it is unnecessary to configure multiple VRRP groups orset the gateway addresses of
hosts in the LAN to virtual IP addresses of different VRRP groups. This greatly reduces the workload of the network
administrator.
7.2 Applications
Application Description
Enabling Load Balancing Within a Implement load balancing within a VRRP group without configuring multiple groups or
VRRP Group configuring different default gateways for hosts.
Enable load balancing within a VRRP group without configuring without configuring multiple VRRP groups or configuring
different default gateways for hosts.
Configure a VRRP group that consists of Router A and Router B, and enable the VRRP Plus function.
Configure the default gateway of each host as the master virtual IP address of the VRRP group.
Remarks
1. Two layer-3 (L3) devices, Router A and Router B, form a VRRP Plus group, and the virtual IP address of the
group is 192.168.12.1. Router A is the master device of VRRP and functions as a balancing virtual gateway
(BVG). Router B is the backup device of VRRP and functions as a balancing virtual forwarder (BVF).
2. Host 1 to Host 4 are hosts in the LAN with the network segment 192.168.12.0/24. Their default gateway
addresses are set to the virtual IP address 192.168.12.1 of the VRRP Plus group.
3. The load balancing policy is configured on the device to respond to the ARP requests sent from different
hosts. For example, when Host 1 and Host 2 request the gateway ARP, the MAC address 0000.5e00.0101
is returned to Host 1 and Host 2. When Host 3 and Host 4 request the gateway ARP, the MAC address
001A.A916.0201 is returned to Host 3 and Host 4. In this way, packets exchanged between Host 1/Host 2
and the external network are sent to Router A, and packets exchanged between Host 3/Host 4 and the
external network are sent to Router B, thereby implementing load balancing.
Deployment
Deploy VRRP Plus on Router A and Router B to implement load balancing on the local host.
7.3 Features
Basic Concepts
BVG
The BVG allocates virtual MAC addresses to members of the VRRP Plus group. It responds to the gateway ARP/ND
requests in the LAN, and forwards packets of hosts in the LAN.
BVF
Configuration Guide Configuring VRRP Plus
The BVF forwards packets of hosts in the LAN. If a virtual MAC address is allocated to a BVF, the BVF participates in packet
forwarding; otherwise, the BVF does not participate in packet forwarding.
Overview
Feature Description
VRRP Plus Extend VRRP and use VRRP to implement gateway backup and load balancing in the IEEE 802.3
LAN.
Basic Principles
Hosts in a LAN use the unified gateway IPv4 address (that is, virtual IP address of the VRRP group). When different hosts
request the gateway ARP/ND, the BVG responds with different virtual MAC addresses. In this way, traffic of different hosts
are distributed to different members of the VRRP Plus group, thereby implementing load balancing.
A master device in VRRP corresponds to a BVG in VRRP Plus, and a backup device in VRRP corresponds to a BVF in
VRRP Plus. Gateway addresses of hosts in the LAN are set to the virtual IPv4 address of VRRP.
The BVG allocates virtual MAC addresses to BVFs. For an IPv4 VRRP Plus group, the BVG directly uses the virtual MAC
address of VRRP to ensure compatibility between IPv4 VRRP Plus and VRRP. That is, the virtual MAC address used by the
BVG is 00-00-5E-00-01-{VRID}, where VRID is the VRRP group number. The virtual MAC address used by a BVF is
00-1A-A9-16-{MemberID}-{VRID}, where MemberID is the member ID of the BVF in the VRRP Plus group. Currently, a
VRRP Plus group can have up to four members. The BVG uses the member ID 01, and the other BVFs use the member IDs
02 to 04.
The BVG responds to the gateway ARP/NS requests sent from hosts in a LAN. Based on the specific load balancing policy,
the BVG responds hosts with different virtual MAC addresses. There are three types of load balancing policies:
Host-dependent policy: A specified virtual MAC address is used to respond to the requests sent by aspecified host.
Round-robin policy: Virtual MAC addresses in the backup group are used in a cyclic manner to respond to the gateway
ARP/NS requests sent by hosts.
Weighted policy: The ARP/NA requests are responded based on the forwarding capability of each device.
Configuration Guide Configuring VRRP Plus
If the load balancing mode is changed, load balancing is always implemented in the new load balancing mode. For example,
if the polling response mode is previously used, and later the weighted mode is used, load balancing is implemented in
weighted mode regardless of the earlier responses of the device. If the weighted policy is used, and the total weight of virtual
routers in a VRRP Plus group is 0, the ARP/NS requests are not responded.
When a device with a virtual MAC address becomes faulty in the backup group, traffic of hosts that use this virtual MAC
address as the gateway MAC address will be interrupted.
The BVG in the VRRP Plus backup group can quickly detect the fault, and automatically allocates the virtual MAC address of
the faulty BVF to another device in the backup group. The new device acts as the proxy of the faulty device to forward
packets of the virtual MAC address. In addition, this proxy device takes over traffic of original hosts to prevent traffic
interruption. The virtual MAC address allocated to a device in the backup group can be called master virtual MAC address,
and the virtual MAC address used by this device on behalf of another device is called proxy virtual MAC address.
VRRP Plus provides the proxy function for the virtual MAC address so that another device can take the place of a faulty
device with a virtual MAC address to forward packets. If the BVF is recovered from the fault, its forwarding role is recovered
and the BVF continues to forward packets of the virtual MAC address allocated to this BVF. If the faulty BVF is not recovered,
the backup group stops redirecting traffic to this virtual MAC address. That is, when ARP requests are received again, this
virtual MAC address is no longer responded. After a sufficient long period of time, it is believed that hosts that use the MAC
address as the gateway MAC address already update the ARP/ND table entry of the gateway address, and the traffic is
already taken over by other devices. At this time, this virtual MAC address can be deleted, and packets sent to this virtual
MAC address are dropped.
VRRP Plus supports configuration of the redirection time and timeout of the backup group. When a device is faulty, the
backup group allocates the virtual MAC address of the faulty device to another device. Within the redirection time, the backup
group continues to use this virtual MAC address to respond the ARP/NS requests. When the redirection time expires, the
backup group no longer uses this virtual MAC address to respond the requests. When the timeout elapses, the backup group
deletes this virtual MAC address and stops using this virtual MAC address for proxy forwarding. Figure 7-2 shows the
changes to the role of the virtual MAC address within the redirection time and timeout.
Figure 7-2 Changes to the Role of the Virtual MAC Address Within the Redirection Time and Timeout
Configuration Guide Configuring VRRP Plus
Weight-based Forwarding
VRRP Plus supports the weight configuration of the backup group. Different weights are configured for different devices. In
this way, more traffic is distributed to the device with a greater weight and less traffic is distributed to the device with a smaller
weight, thereby fully utilizing the forwarding performance of different devices. When the weight of a BVF in the backup group
is smaller than the lower threshold, the BVF automatically exits from the forwarding role. When the weight recovers and is
greater than the upper threshold, the BVF automatically applies for the forwarding role. The forwarding role can be recovered
when one or more remaining virtual MAC addresses or proxy virtual MAC addresses exist.
VRRP Plus supports the function of seizing the forwarding role. In VRRP Plus, at most four devices can participate in load
balancing. That is, a VRRP Plus backup group generates at most four virtual MAC addresses. If more than four devices are
added to a VRRP Plus group, only four devices participate in packet forwarding. The remaining devices only listen to the
status of other devices and do not participate in packet forwarding. Only when a device participating in packet forwarding is
faulty, another device that originally does not participate in packet forwarding will take the place of the faulty device to
forward packets. Assume that a VRRP Plus backup group already has four devices and all these devices participate in
packet forwarding; a fifth device is added to the VRRP Plus group, and the forwarding capability of this device is strong or the
original forwarding role encounters a link failure and consequently degradation of forwarding performance. In this case, if the
seizure mode is enabled, the fifth device can seize the forwarding role from a device with a smaller weight (that is, with lower
forwarding capability). A greater weight is configured for a device with stronger forwarding capability. When the weight of a
device in listening state is found greater than that of a forwarding device, the device in listening state automatically seizes the
forwarding role from the forwarding device. That is, the device with stronger forwarding capability forwards packets, whereas
the device with lower forwarding capability is in listening state. This can minimize the waste of resources.
The BVG in a backup group is responsible for allocation of virtual MAC addresses. Therefore, the BVG role cannot be seized,
and only the forwarding role of a BVF can be seized. If the BVG device is faulty, VRRP re-elects a new master device, which
assumes the BVG role.
1. After VRRP Plus is configured, the ARP/NS requests are received from hosts can be responded based on different load
balancing policies to implement load balancing among these hosts. However, load balancing cannot be implemented
for hosts that have learned the VRRP virtual gateway addresses before configuration of VRRP Plus. Therefore, if VRRP
Plus is configured after the VRRP state is changed to Master, real load balancing cannot be implemented before aging
of the ARP/NDs learned by hosts. Load balancing is implemented only after the gateway ARP/NDs recorded by the
hosts age and the hosts request for new gateway addresses.
2. Periodical sending of gratuitous ARPs on an interface also affect the load balancing function of VRRP Plus. When
VRRP Plus is enabled, the function of sending gratuitous ARPs of VRRP virtual IP addresses will be disabled. When an
virtual IP address overlaps with an actual IP address, gratuitous ARPs of this address are no longer sent.
3. When an address conflict occurs between a host and the local device, the ARP/NA module will broadcast gratuitous
ARP/NA packets of this address. If a conflict of the VRRP Plus virtual address occurs, sending gratuitous ARP/NA
packet will result re-learning of the host's gateway MAC address, which negatively affects the load balancing function of
VRRP Plus. Therefore, the load balancing function of VRRP Plus is currently not supported in this scenario.
7.4 Configuration
Enable the VRRP Plus function. (By default, this function is disabled.)
Notes
To enable the VRRP Plus function, you must configure the VRRP virtual IP address for the corresponding backup
group.
Configuration Steps
By default, VRRP Plus is enabled. Perform this configuration if VRRP Plus is required.
After VRRP Plus is enabled, the host-dependent load balancing policy is used by default.
Configuring the Redirection Time and Timeout of the Proxy Virtual MAC Address in a VRRP Plus Backup Group
After VRRP Plus is enabled, the redirection time is set to 300s and timeout is set to 14,400s by default.
Configuring the Weight and Upper and Lower Thresholds of a VRRP Plus Backup Group
After VRRP Plus is enabled, the weight of the backup group is set to 100, the lower threshold to 1, and the upper
threshold to 100 by default.
After VRRP Plus is enabled, the forwarding seizure function is enabled by default.
The weight tracking object of a VRRP Plus backup group is disabled by default. Perform this configuration if the tracking
function is required.
Verification
Run the show group vrrp balance command to display the VRRP backup group configuration. If the backup group has
the packet forwarding tasks, "local" is displayed in the forwarders column, and the virtual MAC address allocated to
this backup group is also displayed.
Related Commands
Configuring the Redirection Time and Timeout of the Proxy Virtual MAC Address in a VRRP Plus Backup Group
Configuring the Weight and Upper and Lower Thresholds of a VRRP Plus Backup Group
smaller weight. When the weight of a BVF in the backup group is lower than the lower threshold, the BVF
automatically exits from the forwarding role. When the weight recovers and is higher than the upper
threshold, the forwarding role of the BVF is automatically restored.
Configuration Example
Scenario
Figure 7-3
Configuration Configure a VRRP group and enable VRRP Plus respectively on Router A and Router B. Configure the
Steps local IP addresses so that Router A becomes a BVG (master) device, and Router B becomes a BVF
(backup) device.
Configure the weighted load balancing policy. Configure the weight tracking object, and set the
decrement value to 100.
Retain default configurations of the weight, upper and lower thresholds, redirection time, timeout, and
forwarding seizure of the backup group.
Set the default gateway addresses of Host 1 to Host 4 in the LAN to the virtual IP address of VRRP,
Configuration Guide Configuring VRRP Plus
RuijieA(config)#interface GigabitEthernet0/0
Router B
RuijieB#config
RuijieB(config)#interface GigabitEthernet0/0
Verification Run the show vrrp balance command to display the configuration of the VRRP Plus group. If the backup
group has the packet forwarding tasks, "local" is displayed in the forwarders column, and the virtual MAC
address allocated to this backup group is also displayed.
Router A
RuijieA# show vrrp balance interface GigabitEthernet0/0
State is BVG
Forwarder 1 (local)
MAC address:
0000.5e00.0101
Owner ID is 0000.0001.0006
Configuration Guide Configuring VRRP Plus
Forwarder 2
MAC address:
001a.a916.0201
Owner ID is 00d0.f822.33a3
Preemption enabled
Router B
RuijieB# show vrrp balance interface GigabitEthernet0/0
State is BVF
Forwarder 1
MAC address:
0000.5e00.0101
Owner ID is 0000.0001.0006
Forwarder 2 (local)
MAC address:
001a.a916.0201
Owner ID is 00d0.f822.33a3
Preemption enabled
Common Errors
VRRP Plus does not take effect because the VRRP virtual IP address is not configured for the related group.
7.5 Monitoring
Displaying
Description Command
Configuration Guide Configuring VRRP Plus
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs the VRRP Plus function. debug vrrp balance
Debugs errors. debug vrrp balance error
Debugs events of the VRRP Plus group. debug vrrp balance event
Debugs the messages between the VRRP debug vrrp balance messages
module and the track module.
Debugs the VRRP Plus packets. Debug vrrp balance packets
Debugs the VRRP Plus group status. debug vrrp balance state
Debugs the timers of the VRRP Plus group. debug vrrp balance timer
Network Management & Monitoring Configuration
1. Configuring SNMP
2. Configuring RMON
3. Configuring NTP
4. Configuring SNTP
6. Configuring ERSPAN
7. Configuring sFlow
Configuration Guide Configuring SNMP
1 Configuring SNMP
1.1 Overview
Simple Network Management Protocol (SNMP) became a network management standard RFC1157 in August 1988. At
present, because many vendors support SNMP, SNMP has in fact become a network management standard and is applicable
to the environment where systems of multiple vendors are interconnected. By using SNMP, the network administrator can
implement basic functions such as information query for network nodes, network configuration, fault locating, capacity
planning, and network monitoring and management.
SNMP Versions
SNMPv3: SNMPv3 provides the following security features by identifying and encrypting data.
RFC 3411, An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks
RFC 3412, Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)
RFC 3414, User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)
RFC 3415, View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)
RFC 3416, Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP)
RFC 3417, Transport Mappings for the Simple Network Management Protocol (SNMP)
RFC 3418, Management Information Base (MIB) for the Simple Network Management Protocol (SNMP)
1.2 Applications
Application Description
Managing Network Devices Based Network devices are managed and monitored based on SNMP.
on SNMP
Take the following figure as an example. Network device A is managed and monitored based on SNMP network manager.
Figure 1-1
Deployment
The network management station is connected to the managed network devices. On the network management station, users
access the Management Information Base (MIB) on the network devices through the SNMP network manager and receive
messages actively sent by the network devices to manage and monitor the network devices.
1.3 Features
Basic Concepts
SNMP is an application layer protocol that works in C/S mode. It consists of three parts:
SNMP agent
MIB
Figure 1-2 shows the relationship between the network management system (NMS) and the network management agent.
Configuration Guide Configuring SNMP
The SNMP network manager is a system that controls and monitors the network based on SNMP and is also called the NMS.
SNMP Agent
The SNMP agent (hereinafter referred to as the agent) is software running on the managed devices. It is responsible for
receiving, processing, and responding to monitoring and control packets from the NMS. The agent may also actively send
messages to the NMS.
MIB
The MIB is a virtual network management information base. The managed network devices contain lots of information. To
uniquely identify a specific management unit among SNMP packets, the MIB adopts the tree hierarchical structure. Nodes in
the tree indicate specific management units. A string of digits may be used to uniquely identify a management unit system
among network devices. The MIB is a collection of unit identifiers of network devices.
Operation Types
Six operation types are defined for information exchange between the NMS and the agent based on SNMP:
Get-request: The NMS extracts one or more parameter values from the agent.
Get-next-request: The NMS extracts the parameter value next to one or more parameters from the agent.
Get-bulk: The NMS extracts a batch of parameter values from the agent.
Set-request: The NMS sets one or more parameter values of the agent.
Get-response: The agent returns one or more parameter values, which are the operations in response to the three
operations performed by the agent on the NMS.
Trap: The agent actively sends a message to notify the NMS of something that happens.
The first four packets are sent by the NMS to the agent and the last two packets are sent by the agent to the NMS. (Note:
SNMPv1 does not support the Get-bulk operation.) Figure 1-4 describes the operations.
The three operations performed by the NMS on the agent and the response operations of the agent are based on UDP port
161. The trap operation performed by the agent is based on UDP port 162.
Overview
Feature Description
Basic SNMP Functions The SNMP agent is configured on network devices to implement basic functions such as
information query for network nodes, network configuration, fault locating, and capacity planning.
SNMPv1 and SNMPv2C SNMPv1 and SNMPv2C adopt the community-based security architecture, including
authentication name and access permission.
SNMPv3 SNMPv3 redefines the SNMP architecture, namely, it enhances security functions, including the
security model based on users and access control model based on views. The SNMPv3
architecture already includes all functions of SNMPv1 and SNMPv2C.
Configuration Guide Configuring SNMP
Working Process
SNMP protocol interaction is response interaction (for exchange of packets, see Figure 1-4). The NMS actively sends
requests to the agent, including Get-request, Get-next-request, Get-bulk, and Set-request. The agent receives the requests,
completes operations, and returns a Get-response. Sometimes, the agent actively sends a trap message and an Inform
message to the NMS. The NMS does not need to respond to the trap message but needs to return an Inform-response to the
agent. Otherwise, the agent re-sends the Inform message.
Related Configuration
The no enable service snmp-agent command is used to directly disable all SNMP services.
By default, the system contact mode, system location, and device Network Element (NE) information are empty. The default
serial number is 60FF60, the default maximum packet length is 1,572 bytes, and the default UDP port ID of the SNMP service
is 161.
The snmp-server contact command is used to configure or delete the system contact mode.
The snmp-server location command is used to configure or delete the system location.
The snmp-server chassis-id command is used to configure the system serial number or restore the default value.
The snmp-server packetsize command is used to configure the maximum packet length of the agent or restore the default
value.
The snmp-server net-id command is used to configure or delete the device NE information.
The snmp-server udp-port command is used to set the UDP port ID of the SNMP service or restore the default value.
The snmp-server host command is used to configure the NMS host address to which the agent actively sends messages or
to delete the specified SNMP host address. In the messages sent to the host, the SNMP version, receiving port, authentication
name, or user can be bound. This command is used with the snmp-server enable traps command to actively send trap
messages to the NMS.
By default, SNMP is not allowed to actively send a trap message to the NMS, the function of sending a Link Trap message on
an interface is enabled, the function of sending a system reboot trap message is disabled, and a trap message does not carry
any private field.
By default, the IP address of the interface where SNMP packets are sent is used as the source address.
By default, the length of a trap message queue is 10 and the interval for sending a trap message is 30s.
The snmp-server enable traps command is used to enable or disable the agent to actively send a trap message to the NMS.
The snmp trap link-status command is used to enable or disable the function of sending a Link Trap message on an
interface.
The snmp-server trap-source command is used to specify the source address for sending messages or to restore the default
value.
The snmp-server queue-length command is used to set the length of a trap message queue or to restore the default value.
The snmp-server trap-timeout command is used to set the interval for sending a trap message or to restore the default
value.
The snmp-server trap-format private command is used to set or disable the function of carrying private fields in a trap
message when the message is sent.
The snmp-server system-shutdown command is used to enable or disable the function of sending a system reboot trap
message.
Working Principle
SNMPv1 and SNMPv2 determine whether the administrator has the right to use MIB objects by using the authentication name.
The authentication name of the NMS must be the same as an authentication name defined in devices.
SNMPv2C adds the Get-bulk operation mechanism and can return more detailed error message types to the management
workstation. The Get-bulk operation is performed to obtain all information from a table or obtain lots of data at a time, so as to
reduce the number of request responses. The enhanced error handling capabilities of SNMPv2C include extension of error
codes to differentiate error types. In SNMPv1, however, only one error code is provided for errors. Now, errors can be
differentiated based on error codes. Because management workstations supporting SNMPv1 and SNMPv2C may exist on the
network, the SNMP agent must be able to identify SNMPv1 and SNMPv2C packets and return packets of the corresponding
versions.
Security
Read-only: Provides the read permission of all MIB variables for authorized management workstations.
Read-write: Provide the read/write permission of all MIB variables for authorized management workstations.
Configuration Guide Configuring SNMP
Related Configuration
The snmp-server community command is used to configure or delete an authentication name and access permission.
This command is the first important command for enabling the SNMP agent function. It specifies community attributes and
NMS scope where access to the MIB is allowed.
1.3.3 SNMPv3
SNMPv3 redefines the SNMP architecture and includes functions of SNMPv1 and SNMPv2 into the SNMPv3 system.
Working Principle
The NMS and SNMP agent are SNMP entities. In the SNMPv3 architecture, SNMP entities consist of the SNMP engine and
SNMP applications. The SNMP engine is used to send and receive messages, identify and encrypt information, and control
access to managed objects. SNMP applications refer to internal applications of SNMP, which work by using the services
provided by the SNMP engine.
SNMPv3v determines whether a user has the right to use MIB objects by using the User-based Security Model (USM). The
security level of the NMS user must be the same as that of an SNMP user defined in devices so as to manage devices.
SNMPv3 requires the NMS to obtain the SNMP agent engine IDs on devices when the NMS manages devices. SNMPv3
defines the discover and report operation mechanisms. When the NMS does not know agent engine IDs, the NMS may first
send a discover message to the agent and the agent returns a report message carrying an engine ID. Later, management
operations between the NMS and the agent must carry the engine ID.
Security
SNMPv3 determines the data security mechanism based on the security model and security level. At present, security
models include: SNMPv1, SNMPv2C, and SNMPv3. SNMPv3 includes SNMPv1 and SNMPv2C into the security model.
Security
Security Level Authentication Encryption Description
Model
Data validity is confirmed through authentication
SNMPv1 noAuthNoPriv Authentication name N/A
name.
Data validity is confirmed through authentication
SNMPv2c noAuthNoPriv Authentication name N/A
name.
Security
Security Level Authentication Encryption Description
Model
SNMPv3 noAuthNoPriv User name. N/A Data validity is confirmed through user name.
Configuration Guide Configuring SNMP
Engine ID
An engine ID is used to uniquely identify an SNMP engine. Because each SNMP entity includes only one SNMP engine, one
SNMP engine uniquely identifies an SNMP entity in a management domain. Therefore, the SNMPv3 agent as an entity must
has a unique engine ID, that is, SnmpEngineID.
An engine ID is an octet string that consists of 5 to 32 bytes. RFC3411 defines the format of an engine ID:
The first four bytes indicate the private enterprise ID (allocated by IANA) of a vendor, which is expressed in hexadecimal.
0: Reserved.
6-127: Reserved.
Related Configuration
By default, one view is configured and all MIB objects can be accessed.
The snmp-server view command is used to configure or delete a view and the snmp-server group command is used to
configure or delete a user group.
One or more instructions can be configured to specify different community names so that network devices can be managed by
NMSs of different permissions.
The NMS can communicate with the agent by using only legal users.
An SNMPv3 user can specify the security level (whether authentication and encryption are required), authentication algorithm
(MD5 or SHA), authentication password, encryption password (only DES is available currently), and encryption password.
1.4 Configuration
(Mandatory) It is used to enable users to access the agent through the NMS.
(Optional) It is used to enable the agent to actively send a trap message to the NMS.
(Optional) It is used to shield the agent function when the agent service is not required.
Shielding the Agent Function
no snmp-server Shields the agent function.
Notes
By default, no authentication name is set on network devices and SNMPv1 or SNMPv2C cannot be used to access the
MIB of network devices. When an authentication name is set, if no access permission is specified, the default access
permission is read-only.
Configuration Steps
Optional
An SNMP view needs to be configured when the View-based Access Control Model (VACM) is used.
Optional
Mandatory
An authentication name must be set on the agent when SNMPv1 and SNMPv2C are used to manage network devices.
Mandatory
Optional
By default, the agent function is enabled. When the agent function needs to be enabled again after it is disabled, this
command must be used.
Configuration Guide Configuring SNMP
Optional
By default, the SNMP attack protection and detection function is disabled. When malicious attacks need to be prevented,
the configuration item must be used on the agent.
Optional
By default, password dictionary check is not performed for communities and users. If community names and user names
are too simple and are easily cracked, enable password dictionary check for communities and users. The configuration
must be used with the password policy command.
Verification
Run the show snmp command to check the SNMP function on devices.
Related Commands
Command snmp-server group groupname { v1 | v2c | v3 { auth | noauth | priv } } [ read readview ] [ write writeview ]
[ access { ipv6 ipv6-aclname | aclnum | aclname } ]
Parameter v1 | v2c |v3: Specifies the SNMP version.
Description auth: Messages sent by users in the group need to be verified but data confidentiality is not required. This
configuration is valid for SNMPv3 only.
noauth: Messages sent by users in the group do not need to be verified and data confidentiality is not
required. This configuration is valid for SNMPv3 only.
priv: Messages sent by users in the group need to be verified and confidentiality of transmitted data is
required. This configuration is valid for SNMPv3 only.
readview: Associates one read-only view.
writeview: Associates one read/write view.
aclnum: ACL number. The specified ACL is associated and the range of IPv4 NMS addresses from which
access to the MIB is allowed is specified.
Configuration Guide Configuring SNMP
aclname: ACL name. The specified ACL is associated and the range of IPv4 NMS addresses from which
access to the MIB is allowed is specified.
ipv6-aclname: IPv6 ACL name. The specified ACL is associated and the range of IPv6 NMS addresses from
which access to the MIB is allowed is specified.
Command Global configuration mode
Mode
Usage Guide Associate certain users with a group and associate the group with a view. Users in a group have the same
access permission. In this way, you can determine whether managed objects associated with an operation
are in the allowable range of a view. Only managed objects in the range of a view can be accessed.
Command snmp-server community [ 0 | 7 ] string [ view view-name ] [ [ ro | rw ] [ host ipaddr ] ] [ ipv6 ipv6-aclname]
[ aclnum | aclname ]
Parameter 0: Indicates that the input community string is a plaintext string.
Description 7: Indicates that the input community string is a ciphertext string.
string: Community string, which is equivalent to the communication password between the NMS and the
SNMP agent.
view-name: Specifies a view name for view-based management.
ro: Indicates that the NMS can only read variables of the MIB.
rw: The NMS can read and write variables of the MIB.
aclnum: ACL number. The specified ACL is associated and the range of IPv4 NMS addresses from which
access to the MIB is allowed is specified.
aclname: ACL name. The specified ACL is associated and the range of IPv4 NMS addresses from which
access to the MIB is allowed is specified.
ipv6-aclname: ACL name. The specified ACL is associated and the range of IPv6 NMS addresses from
which access to the MIB is allowed is specified.
ipaddr: Associates NMS addresses and specifies NMS addresses for accessing the MIB.
Command Global configuration mode
Mode
Usage Guide This command is the first important command for enabling the SNMP agent function. It specifies community
attributes and NMS scope where access to the MIB is allowed.
To disable the SNMP agent function, run the no snmp-server command.
Command snmp-server user username groupname { v1 | v2c | v3 [ encrypted ] [ auth { md5 | sha } auth-password ]
[ priv des56 priv-password ] } [ access { ipv6 ipv6-aclname | aclnum | aclname } ]
Parameter username: User name.
Description groupname: Specifies the group name for a user.
v1 | v2c | v3: Specifies the SNMP version. Only SNMPv3 supports later security parameters.
encrypted: The specified password input mode is ciphertext input. Otherwise, plaintext is used for input. If
ciphertext input is selected, enter a key consisting of continuous hexadecimal digits. An MD5 protocol
Configuration Guide Configuring SNMP
authentication key consists of 16 bytes and an SHA authentication protocol key consists of 20 bytes. Two
characters stand for one byte. Encrypted keys are valid for this engine only.
auth: Specifies whether authentication is used.
md5: Specifies the MD5 authentication protocol. sha specifies the SHA authentication protocol.
auth-password: Configures a password string (not more than 32 characters) used by the authentication
protocol. The system converts the passwords into the corresponding authentication keys.
priv: Specifies whether confidentiality is used. des56 specifies the use of the 56-bit DES encryption
protocol.
priv-password: Configures a password string (not more than 32 characters) used for encryption. The system
converts the password into the corresponding encryption key.
aclnum: ACL number. The specified ACL is associated and the range of IPv4 NMS addresses from which
access to the MIB is allowed is specified.
aclname: ACL name. The specified ACL is associated and the range of IPv4 NMS addresses from which
access to the MIB is allowed is specified.
ipv6-aclname: IPv6 ACL name. The specified ACL is associated and the range of IPv6 NMS addresses from
which access to the MIB is allowed is specified.
Command Global configuration mode
Mode
Usage Guide Configure user information so that the NMS can communicate with the agent by using a valid user.
For an SNMPv3 user, you can specify the security level, authentication algorithm (MD5 or SHA),
authentication password, encryption algorithm (at present, only DES is available), and encryption password.
Parameter mib: Displays information about the SNMP MIB supported in the system.
Description
user: Displays information about an SNMP user.
process-mib-time: Displays the MIB node with the longest processing time.
Configuration Guide Configuring SNMP
Configuration Example
Scenario
Figure 1-5
The NMS manages network devices (agents) based on the user authentication and encryption mode,
for example, the NMS uses user1 as the user name, MD5 as the authentication mode, 123 as the
authentication password, DES56 as the encryption algorithm, and 321 as the encryption password.
Network devices can control the operation permission of users to access MIB objects. For example,
the user named user1 can read MIB objects under the system node (1.3.6.1.2.1.1) and can only write
MIB objects under the SysContact node (1.3.6.1.2.1.1.4.0).
Network devices can actively send authentication and encryption messages to the NMS.
Configuration Configure a MIB view and a MIB group. Create a MIB view “view1”, which includes the associated MIB
Steps object (1.3.6.1.2.1.1); then create a MIB view “view2”, which includes the associated MIB object
(1.3.6.1.2.1.1.4.0). Create a group “g1”, select the version “v3”, set the security level to the
authentication and encryption mode “priv”, and configure permissions to read the view “view1” and
write the view “view2”.
Configure an SNMP user. Create a user named “user1” under group “g1”, select “v3” as the version,
and set the authentication mode to “md5”, authentication password to “123”, encryption mode to
“DES56”, and encryption password to “321”.
Configure the SNMP host address. Set the host address to 192.168.3.2, select “3” as the version, set
the security level to the authentication and encryption mode “priv”, and associate the user name
“user1”. Enable the agent to actively send a trap message to the NMS.
Set the IP address of the agent. Set the address of the Gi0/1 interface to 192.168.3.1/24.
Agent
Ruijie(config)#snmp-server view view1 1.3.6.1.2.1.1 include
Ruijie(config-if-gigabitEthernet 0/1)#exit
Verification 1. Run the show running-config command to display configuration information of the device.
2. Run the show snmp user command to display the SNMP user.
3. Run the show snmp view command to display the SNMP view.
4. Run the show snmp group command to display the SNMP group.
5. Run the show snmp host command to display the host information configured by the user.
6. Install MIB-Browser.
Agent
Ruijie# show running-config
no ip proxy-arp
Group-name: g1
view1(include) 1.3.6.1.2.1.1
view2(include) 1.3.6.1.2.1.1.4.0
default(include) 1.3.6.1
groupname: g1
securityModel: v3
securityLevel:authPriv
readview: view1
writeview: view2
notifyview:
udp-port: 162
type: trap
user: user1
Install MIB-Browser, enter IP address 192.168.3.1 in IP Address and user1 in UserName, select
AuthPriv for Security Level, enter 123 in AuthPassWord, select MD5 for AuthProtocol, and enter 321
in PrivPassWord. Click Add Item and select a management unit for which the MIB needs to be queried,
for example, System in the following figure. Click Start. The MIB is queried for network devices.
The lowest pane in the following figure shows query results.
Configuration Guide Configuring SNMP
Common Errors
Notes
N/A
Configuration Steps
Optional
Configure the host address of the NMS when the agent is required to actively send messages.
Optional
Configure this item on the agent when the agent is required to actively send a trap message to the NMS.
Optional
Configure this item on the agent when a link trap message needs to be sent on an interface.
Optional
Configure this item on the agent when the RGOS system is required to send a trap message to the NMS to notify system
reboot before reloading or reboot of the device.
Optional
Configure this item on the agent when it is required to permanently use a local IP address as the source SNMP address
to facilitate management.
Enabling a Trap Message to Carry Private Fields when the Message Is Sent
Optional
Configure this item on the agent when private fields need to be carried in a trap message.
Verification
Run the show running-config command to display configuration information of the device.
Related Commands
Command snmp-server host{ host-addr | ipv6 ipv6-addr } [ traps | inrorms ] [ version { 1 | 2c | 3 { auth | noauth |
priv } ] community-string [ udp-port port-num ] [ notification-type ]
Parameter host-addr: Address of the SNMP host.
Description ipv6-addr: (IPv6) address of the SNMP host.
traps | informs: Configures the host to send a trap message or an inform message.
version: SNMP version, which can be set to V1, V2C, or V3.
auth | noauth | priv: Sets the security level of V3 users.
community-string: Community string or user name (V3).
port-num: Configures the port ID of the SNMP host.
notification-type: Type of trap messages that are actively sent, for example, snmp.
facilitate management and identification, this command can be run to permanently use one local IP address
as the source SNMP address.
Enabling a Trap message to Carry Private Fields when the Message Is Sent
Configuration Example
Scenario
Figure 1-6
The NMS manages network devices (agents) based on the community authentication mode, and
network devices can actively send messages to the NMS.
Configuration 1. Perform configuration to enable the agent to actively send messages to the NMS. Set the SNMP host
Steps address to 192.168.3.2, the message format to Version2c, and the authentication name to user1.
Enable the agent to actively send trap messages.
2. Set the IP address of the agent. Set the address of the Gi0/1 interface to 192.168.3.1/24.
Agent
Ruijie(config)#snmp-server host 192.168.3.2 traps version 2c user1
Ruijie(config-if-gigabitEthernet 0/1)#exit
Verification Run the show running-config command to display configuration information of the device.
Run the show snmp command to display the SNMP status.
Agent
Ruijie# show running-config
ip access-list standard a1
Configuration Guide Configuring SNMP
no ip proxy-arp
Ruijie#show snmp
Chassis: 1234567890
0 Encoding errors
0 Get-request PDUs
0 Get-next PDUs
0 Set-request PDUs
0 General errors
0 Response PDUs
0 Trap PDUs
Common Errors
N/A
Shield the agent function when the agent service is not required.
Notes
Run the no snmp-server command to shield the SNMP agent function when the agent service is not required.
Different from the shielding command, after the no enable service snmp-agent command is run, all SNMP services are
directly disabled (that is, the SNMP agent function is disabled, no packet is received, and no response packet or trap
packet is sent), but configuration information of the agent is not shielded.
Configuration Steps
Optional
To shield the configuration of all SNMP agent services, use this configuration.
Optional
Verification
Run the show services command to check whether SNMP services are enabled or disabled.
Run the show running-config command to display configuration information of the device.
Related Commands
Command no snmp-server
Parameter N/A
Description
Command Global configuration mode
Configuration Guide Configuring SNMP
Mode
Usage Guide By default, the SNMP agent function is disabled. When SNMP agent parameters (for example, NMS host
address, authentication name, and access permission) are set, the SNMP agent service is automatically
enabled. The enable service snmp-agent command must also be run at the same time so that the SNMP
agent service can take effect. If the SNMP agent service is disabled or the enable service snmp-agent
command is not run, the SNMP agent service does not take effect. Run the no snmp-server command to
disable SNMP agent services of all versions supported by the device.
After this command is run, all SNMP agent service configurations are shielded (that is, after the show
running-config command is run, no configuration is displayed. Configurations are restored after the SNMP
agent service is enabled again). After the enable service snmp-agent command is run, the SNMP agent
configurations are not shielded.
Configuration Example
Scenario
Figure 1-7
After the SNMP service is enabled and the SNMP agent server is set, the NMS can access devices based
on SNMP.
Verification 1. Run the show services command to check whether the SNMP service is enabled or disabled.
Agent
Ruijie#show service
web-server : disabled
Configuration Guide Configuring SNMP
web-server(https): disabled
snmp-agent : enabled
ssh-server : disabled
telnet-server : enabled
Common Errors
N/A
Set basic parameters of the SNMP agent, including the device contact mode, device location, serial number, and parameters
for sending a trap message. By accessing the parameters, the NMS can obtain the contact person of the device and physical
location of the device.
Notes
N/A
Configuration Steps
Optional
When the contact mode of the system needs to be modified, configure this item on the agent.
Optional
When the system location needs to be modified, configure this item on the agent.
Optional
When the system serial number needs to be modified, configure this item on the agent.
Optional
When the NE code needs to be modified, configure this item on the agent.
Optional
When the maximum packet length of the SNMP agent needs to be modified, configure this item on the agent.
Configuration Guide Configuring SNMP
Optional
When the UDP port ID of the SNMP service needs to be modified, configure this item on the agent.
Optional
When the size of the message queue needs to be adjusted to control the message sending speed, configure this item on
the agent.
Optional
When the interval for sending a trap message needs to be modified, configure this item on the agent.
Optional
If a large number of SNMP request packets result in high CPU usage for SNMP tasks, configure SNMP flow control to
limit the number of request packets processed per second in each SNMP task, so as to control the CPU usage for SNMP
tasks.
Verification
Run the show running-config command to display configuration information of the device.
Related Commands
mode
Usage Guide Adjust the size of the message queue to control the message sending speed.
Configuration Example
Scenario
Figure 1-8
The NMS manages network devices (agents) based on the community authentication mode and can
obtain basic system information about the devices, for example, system contact mode, location, and
serial number.
Configuration 1. Set SNMP agent parameters. Set the system location, contact mode, and serial number.
Steps 2. Set the IP address of the agent. Set the address of the Gi0/1 interface to 192.168.3.1/24.
Agent
Ruijie(config)#snmp-server location fuzhou
Ruijie(config-if-gigabitEthernet 0/1)#exit
ip access-list standard a1
no ip proxy-arp
v1(include) 1.3.6.1.2.1.1
default(include) 1.3.6.1
groupname: user1
securityModel: v1
securityLevel:noAuthNoPriv
readview: v1
writeview: v1
notifyview:
groupname: user1
securityModel: v2c
securityLevel:noAuthNoPriv
readview: v1
Configuration Guide Configuring SNMP
writeview: v1
notifyview:
1.5 Monitoring
Displaying
Description Command
Displays the SNMP status. show snmp [mib | user | view | group| host]
Configuration Guide Configuring RMON
2 Configuring RMON
2.1 Overview
The Remote Network Monitoring (RMON) aims at resolving problems of managing local area networks (LANs) and remote
sites by using one central point. In RMON, network monitoring data consists of a group of statistics and performance
indicators, which can be used for monitoring the network utilization, so as to facilitate network planning, performance
optimization, and network error diagnosis.
RMON is mainly used by a managing device to remotely monitor and manage managed devices.
STD 0059 / RFC 2819: Remote Network Monitoring Management Information Base
RFC 3919: Remote Network Monitoring (RMON) Protocol Identifiers for IPv6 and Multi Protocol Label Switching (MPLS)
RFC 3737: IANA Guidelines for the Registry of Remote Monitoring (RMON) MIB Modules
RFC 3434: Remote Monitoring MIB Extensions for High Capacity Alarms
RFC 3395: Remote Network Monitoring MIB Protocol Identifier Reference Extensions
RFC 3273: Remote Network Monitoring Management Information Base for High Capacity Networks
2.2 Applications
Application Description
Collecting Statistics on Information of Applies four functions of RMON to an interface to monitor the network communication
a Monitored Interface of the interface.
The RMON Ethernet statistics function is used to monitor accumulated information of an interface, the history statistics
function is used to monitor the packet count of an interface within each monitoring interval, and the alarm function is used to
immediately acquire packet count exceptions of an interface. The following figure shows the networking topology.
Figure 2-1
Configuration Guide Configuring RMON
Deployment
Interface is monitored to accumulatively collect statistics on the packet count of the interface and collect statistics on the
packet count and bandwidth utilization of the interface within the monitoring interval. If a packet count exception occurs on the
interface, an alarm is reported to the network management system (NMS). The configuration key points are as follows:
Configure the RMON alarm table and define RMON event processing actions in configuration mode. Monitored objects
of alarms are the object identifier (OID) values of specific fields in the RMON Ethernet statistical table configured for
interface.
2.3 Features
Basic Concepts
RMON defines multiple RMON groups. Ruijie products support the statistics group, history group, alarm group, and event
group, which are described as follows:
Statistics Group
The statistics group is used to monitor and collect statistics on Ethernet interface traffic information, which is accumulated from
the entry creation time to the current time. The statistical items include discarded data packets, broadcast data packets, cyclic
redundancy check (CRC) errors, large and small blocks, and collisions. Statistical results are stored in the Ethernet statistical
table.
History Group
The history group is used to periodically collect network traffic information. It records accumulated values of network traffic
information and the bandwidth utilization within each interval, and saves them in the history control table. It includes two small
groups:
The HistoryControl group is used to set the sampling interval, sampling data source, and other control information.
Configuration Guide Configuring RMON
The EthernetHistory group provides administrators with historical data, including statistics on network segment traffic,
error packets, broadcast packets, utilization, and number of collisions.
Alarm Group
The alarm group is used to monitor a specified Management Information Base (MIB) object. When the value of a MIB object
exceeds the preset upper limit or is lower than the preset lower limit, an alarm is triggered and the alarm is processed as an
event.
Event Group
The event group is used to define the event processing mode. When a monitored MIB object meets alarm conditions, an event
is triggered. An event can be processed in any of the following modes:
log: Event-relevant information is recorded in the log record table so that administrators can view it at any time.
snmp-trap: A trap message is transmitted to the NMS to notify the NMS of the event occurrence.
log-and-trap: Event-relevant information is recorded in the log record table and a trap message is transmitted to the
NMS.
Working Principle
RMON supports multiple monitors and two data collection methods. Method 1: A dedicated RMON probe is used to collect
data and the NMS can directly acquire all information about the RMON MIB from the RMON probe. Method 2: RMON agents
are built into network devices (such as switches and routers) so that the devices have the RMON probe function. The NMS
uses basic commands of the Simple Network Management Protocol (SNMP) to exchange data with the RMON agents and
collect network management information. This method, however, is limited by device resources and information of only four
groups rather than all data of the RMON MIB is acquired.
The following figure shows an example of communication between the NMS and RMON agents. The NMS, through the RMON
agents running on devices, can acquire information about overall traffic, error statistics, and performance statistics of the
network segment where a managed network device interface is, thereby implementing remote management of network
devices.
Figure 2-2
Configuration Guide Configuring RMON
Overview
Feature Description
RMON Ethernet Statistics Collects statistics on the packet count, byte count, and other data of a monitored Ethernet
interface accumulatively.
RMON History Statistics Records the counts of packets, bytes, and other data communicated by an Ethernet
interface within the configured interval and calculates the bandwidth utilization within the
interval.
RMON Alarm Samples values of monitored variables at intervals. The alarm table is used in combination
with the event table. When the upper or lower limit is reached, a relevant event table is
triggered to perform event processing or no processing is performed.
The RMON Ethernet statistics function accumulatively collects statistics on network traffic information of an Ethernet interface
from the entry creation time to the current time.
Related Configuration
Run the rmon collection stats command to create Ethernet statistical entries on a specified Ethernet interface.
After statistical entries are successfully created on a specified interface, the statistics group collects statistics on the
traffic information of the current interface. The statistical items are variables defined in the RMON Ethernet statistical
table, and recorded information is the accumulated values of variables from the creation time of the RMON statistical
table to the current time.
The RMON history statistics function records accumulated statistics on traffic information of an Ethernet interface within each
interval.
Related Configuration
Run the rmon collection history command to create historical control entries on an Ethernet interface.
The RMON history group collects statistics on variables defined in the RMON history table and records accumulated
values of variables within each interval.
Configuration Guide Configuring RMON
The RMON alarm function periodically monitors value changes of alarm variables. If the value of an alarm variable reaches the
specified upper threshold or lower threshold, a corresponding event is triggered for processing, for example, a trap message is
transmitted or one logTable entry record is generated. If a lower threshold or upper threshold is reached multiple times
consecutively, only one corresponding event is triggered and another event is triggered till a reverse threshold is reached.
Related Configuration
Run the rmon event command to configure the event table and run the rmon alarm command to configure the RMON
alarm table.
The RMON alarm function is implemented by the alarm table and event table jointly. If a trap message needs to be
transmitted to a managing device in the case of an alarm event, the SNMP agent must be correctly configured first. For
the configuration of the SNMP agent, see the Configuring SNMP.
If a configured alarm object is a field node in the RMON statistics group or history group, the RMON Ethernet statistics
function or RMON history statistics function need to be configured on a monitored Ethernet interface first.
2.4 Configuration
(Mandatory) It is used to monitor whether data changes of a variable is within the valid
range.
Configuring RMON Alarm
rmon event Configures event entries.
rmon alarm Configures alarm entries.
Configuration Guide Configuring RMON
Acquire accumulated statistics on traffic information of a monitored Ethernet interface from the entry creation time to the
current time.
Notes
Configuration Steps
Mandatory.
If statistics and monitoring are required for a specified interface, Ethernet statistical entries must be configured on this
interface.
Verification
Related Commands
Configuration Example
Scenario
Figure 2-3
As shown in the preceding figure, the RMON agent is connected to the server, and the NMS requires the
Configuration Guide Configuring RMON
RMON statistics group to conduct performance statistics on received packets of interface Gi0/1.
Administrators can view the statistics at any time to understand data about received packets of an interface
and take measures in a timely manner to handle network exceptions.
Configuration Configure a statistical table instance on interface GigabitEthernet 0/1 to collect statistics on the traffic
Steps of this interface.
Agent
Ruijie# configure terminal
Verification Run the show rmon stats command to display Ethernet statistics.
Agent
Ruijie# show rmon stats
index = 1
owner = admin
status = 1
dropEvents = 0
octets = 25696
pkts = 293
broadcastPkts = 3
multiPkts = 0
crcAlignErrors = 0
underSizePkts = 0
overSizePkts = 0
fragments = 0
jabbers = 0
collisions = 0
packets64Octets = 3815
packets65To127Octets = 1695
packets128To255Octets = 365
packets256To511Octets = 2542
packets512To1023Octets = 152
Configuration Guide Configuring RMON
packets1024To1518Octets = 685
Common Errors
Statistical table entries are re-configured or configured statistical table entries are modified.
Acquire accumulated statistics on the traffic of a monitored Ethernet interface and the bandwidth utilization within each
interval.
Notes
Configuration Steps
Mandatory.
If network statistics on a specified interface need to be collected, RMON historical control entries must be configured on
the interface.
Verification
Run the show rmon history command to display history group statistics.
Related Commands
Command rmon collection history index [owner ownername] [buckets bucket-number] [interval seconds]
Parameter index: Indicates the index number of a history statistical entry, with the value ranging from 1 to 65,535.
Description owner ownername: Indicates the entry creator, that is, ownername, which is a case-sensitive string of 1-63
characters.
buckets bucket-number: Sets the capacity of the history table in which a history statistical entry exists, that
is, sets the maximum number of records (bucket-number) that can be accommodated in the history table.
The value of bucket-number ranges from 1 to 65,535 and the default value is 10.
interval seconds: Sets the statistical interval, with the unit of seconds. The value ranges from 1 second to
3,600 seconds and the default value is 1,800 seconds.
Command Interface configuration mode
Mode
Usage Guide The values of history statistical entry parameters cannot be changed.
Configuration Example
Scenario
Figure 2-4
As shown in the preceding figure, the RMON agent is connected to the server, and the NMS needs to collect
statistics on received packets of interface Gi0/1 through the RMON history group at an interval of 60
seconds, in an effort to monitor the network and understand emergency data.
Configuration Configure the history control table on interface GigabitEthernet 0/1 to periodically collect statistics on
Steps the traffic of this interface.
Agent
Ruijie# configure terminal
Ruijie(config-if-GigabitEthernet 0/1)# rmon collection history 1 buckets 5 interval 300 owner admin
Verification Run the show rmon history command to display history group statistics.
Agent
Ruijie# show rmon history
index = 1
bucketsRequested = 5
bucketsGranted = 5
interval = 60
owner = admin
stats = 1
index = 1
sampleIndex = 786
intervalStart = 6d:18h:37m:38s
dropEvents = 0
octets = 2040
Configuration Guide Configuring RMON
pkts = 13
broadcastPkts = 0
multiPkts = 0
crcAlignErrors = 0
underSizePkts = 0
overSizePkts = 0
fragments = 0
jabbers = 0
collisions = 0
utilization = 0
index = 1
sampleIndex = 787
intervalStart = 6d:18h:38m:38s
dropEvents = 0
octets = 1791
pkts = 16
broadcastPkts = 1
multiPkts = 0
crcAlignErrors = 0
underSizePkts = 0
overSizePkts = 0
fragments = 0
jabbers = 0
collisions = 0
utilization = 0
index = 1
sampleIndex = 788
intervalStart = 6d:18h:39m:38s
dropEvents = 0
octets = 432
Configuration Guide Configuring RMON
pkts = 6
broadcastPkts = 0
multiPkts = 0
crcAlignErrors = 0
underSizePkts = 0
overSizePkts = 0
fragments = 0
jabbers = 0
collisions = 0
utilization = 0
index = 1
sampleIndex = 789
intervalStart = 6d:18h:40m:38s
dropEvents = 0
octets = 432
pkts = 6
broadcastPkts = 0
multiPkts = 0
crcAlignErrors = 0
underSizePkts = 0
overSizePkts = 0
fragments = 0
jabbers = 0
collisions = 0
utilization = 0
index = 1
sampleIndex = 790
intervalStart = 6d:18h:41m:38s
dropEvents = 0
octets = 86734
Configuration Guide Configuring RMON
pkts = 934
broadcastPkts = 32
multiPkts = 23
crcAlignErrors = 0
underSizePkts = 0
overSizePkts = 0
fragments = 0
jabbers = 0
collisions = 0
utilization = 0
Common Errors
History control table entries are re-configured or configured history control table entries are modified.
Periodically monitor whether value changes of alarm variables are within the specified valid range.
Notes
If a trap message needs to be transmitted to a managing device when an alarm event is triggered, the SNMP agent must be
correctly configured. For the configuration of the SNMP agent, see the Configuring SNMP.
If an alarm variable is a MIB variable defined in the RMON statistics group or history group, the RMON Ethernet statistics
function or RMON history statistics function must be configured on the monitored Ethernet interface. Otherwise, an alarm table
fails to be created.
Configuration Steps
Mandatory.
Mandatory.
Verification
Run the show rmon event command to display the event table.
Run the show rmon alarm command to display the alarm table.
Related Commands
Command rmon event number [log] [trap community] [description description-string] [owner ownername]
Parameter number: Indicates the index number of an event table, with the value ranging from 1 to 65,535.
Description log: Indicates a log event. The system logs a triggered event.
trap community: Indicates a trap event. When an event is triggered, the system transmits a trap message
with the community name of community.
description description-string: Sets the description information about an event, that is, description-string.
The value is a string of 1-127 characters.
owner ownername: Indicates the entry creator, that is, ownername, which is a case-sensitive string of 1-63
characters.
Command Global configuration mode
Mode
Usage Guide The values of configured event entry parameters can be changed, including the event type, trap community
name, event description, and event creator.
Command rmon alarm number variable interval {absolute | delta} rising-threshold value [event-number]
falling-threshold value [event-number] [owner ownername]
Parameter number: Indicates the index number of an alarm entry, with the value ranging from 1 to 65,535.
Description variable: Indicates an alarm variable, which is a string of 1-255 characters and is represented in dotted
format using the node OID (format: entry.integer.instance; example: 1.3.6.1.2.1.2.1.10.1).
Interval: Indicates the sampling interval, with the unit of seconds and the value ranging from 1 to
2,147,483,647.
absolute: Indicates that the sampling type is absolute value sampling, that is, variable values are directly
extracted when the sampling time is up.
delta: Indicates that the sampling type is changing value sampling, that is, changes in the variable values
within the sampling interval are extracted when the sampling time is up.
rising-threshold value: Sets the upper limit of the sampling quantity (value), with the value ranging from
-2,147,483,648 to +2,147,483,647.
event-number: Indicates that an event with the event number of event-number is triggered when the upper
limit or lower limit is reached.
falling-threshold value: Sets the lower limit of the sampling quantity (value), with the value ranging from
-2,147,483,648 to +2,147,483,647.
owner ownername: Indicates the entry creator, that is, ownername, which is a case-sensitive string of 1-63
characters.
Configuration Guide Configuring RMON
Configuration Example
Scenario
Figure 2-5
Assume that SNMPv1 runs on the NMS, the community name used for accessing the settings is public, with
the attribute of read-write, and the IP address used by the NMS to receive trap messages is 3.3.3.3.
Assume that the OID value of unknown protocol packets received by monitored interface GigabitEthernet0/3
is 1.3.6.1.2.1.2.2.1.15.3, the sampling mode is relative sampling, and the sampling interval is 60 seconds.
When the relative sampling value is larger than 100 or lower than 10, event 1 and event 2 are triggered
respectively. In event 1, a trap message is transmitted and the event is logged. In event 2, the event is only
logged.
The configuration of the RMON agent is completed on the terminal. The RMON agent is connected to the
NMS and is connected to the server through interface GI0/1. The RMON agent needs to monitor the count
of unknown protocol packets received by interface GI0/1. The sampling interval is 60 seconds. When the
absolute sampling value is smaller than 10, the event is only logged. When the absolute sampling value is
larger than 100, the event is logged and a trap message is transmitted to the NMS.
Ruijie(config)# rmon event 1 description rising-threshold-event log trap public owner admin
Configuration Guide Configuring RMON
Verification Run the show rmon event command to display the event table.
Run the show rmon alarm command to display the alarm table.
Agent
Ruijie# show rmon event
index = 1
description = rising-threshold-event
type = 4
community = public
lastTimeSent = 0d:0h:0m:0s
owner = admin
status = 1
index = 2
description = falling-threshold-event
type = 2
community =
lastTimeSent = 6d:19h:21m:48s
owner = admin
status = 1
eventIndex = 2
index = 1
logTime = 6d:19h:21m:48s
logDescription = falling-threshold-event
index: 1,
Configuration Guide Configuring RMON
interval: 60,
oid = 1.3.6.1.2.1.2.2.1.15.3
sampleType: 2,
alarmValue: 0,
startupAlarm: 3,
risingThreshold: 100,
fallingThreshold: 10,
risingEventIndex: 1,
fallingEventIndex: 2,
owner: admin,
stauts: 1
Common Errors
The entered OID of a monitored object is incorrect, the variable corresponding to the OID does not exist, or the type is
not an integer or unsigned integer.
2.5 Monitoring
Displaying
Description Command
Displays all RMON configuration show rmon
information.
Displays the Ethernet statistical table. show rmon stats
Displays the history control table. show rmon history
Displays the alarm table. show rmon alarm
Displays the event table. show rmon event
Configuration Guide Configuring NTP
3 Configuring NTP
3.1 Overview
The Network Time Protocol (NTP) is an application-layer protocol that enables network devices to synchronize time. NTP
enables network devices to synchronize time with their servers or clock sources and provides high-precision time correction
(the difference from the standard time is smaller than one millisecond in a LAN and smaller than decades of milliseconds in a
WAN). In addition, NTP can prevent attacks by using encrypted acknowledgment.
Currently, Ruijie devices can be used both as NTP clients and NTP servers. In other words, a Ruijie device can synchronize
time with a time server, and be used as a time server to provide time synchronization for other devices. When a Ruijie device
is used as a server, it supports only the unicast server mode.
3.2 Applications
Application Description
Synchronizing Time Based on an A device is used as a client that synchronizes time with an external clock source. After
External Reference Clock Source successful synchronization, it is used as a server to provide time synchronization for
other devices.
Synchronizing Time Based on a A device uses a local clock as a reliable NTP reference clock source and is also used as
Local Reference Clock Source a server to provide time synchronization for other devices.
DEVICE-A is used as a reliable reference clock source to provide time synchronization for external devices.
DEVICE-B specifies DEVICE-A as the NTP server and synchronizes time with DEVICE-A.
Figure 3-1
Configuration Guide Configuring NTP
Deployment
As shown in Figure 3-2, DEVICE-B uses a local clock as the NTP reference clock source and provides time synchronization
for DEVICE-C.
Figure 3-2
Deployment
3.3 Features
Basic Concepts
NTP Packet
As defined in RFC1305, NTP uses User Datagram Protocol (UDP) packets for transmission and the used UDP port ID is 123.
00: indicates no warning information; 01: indicates that there are 61 seconds in the previous minute; 10: indicates that
there are 59 seconds in the previous minute; 11: indicates that the clock is not synchronized.
Version Number(VN): indicates a 3-bit NTP version number. The current version number is 3.
0: indicates no definition; 1: indicates symmetric active; 2: indicates symmetric passive; 3: indicates a client; 4: indicates
a server; 5: indicates broadcasting; 6: indicates control information; 7: reserved.
Stratum: indicates the 8-bit stratum of a local clock. 0: indicates no definition; 1: indicates the master reference clock
source; other values: indicate slave reference clock sources.
Poll Interval: indicates the poll interval (seconds), which is a 8-bit integer.
Precision: indicates the time precision (seconds) of a local clock, which is a 8-bit integer.
Root Delay: indicates the round-trip time to the master reference clock source, which is a 32-bit integer.
Root Dispersion: indicates the largest difference from the master reference clock source, which is a 32-bit integer.
Reference Clock Identifier: indicates the 32-bit identifier of a reference clock source.
Reference Timestamp: indicates a 64-bit timestamp, namely, the time that is set or corrected at the last time.
Originate Timestamp: indicates a 64-bit timestamp, namely, the local time when a time synchronization request leaves
from a client.
Receive Timestamp: indicates a 64-bit timestamp, namely, the local time when a time synchronization request packet
arrives at a server.
Transmit Timestamp: indicates a 64-bit timestamp, namely, the local time when a time synchronization response packet
leaves from a server.
NTP Server
A device uses a local clock as the reference clock source to provide time synchronization for other devices in the network.
NTP Client
A device is used as an NTP client that synchronizes time with an NTP server in the network.
Stratum
In NTP, "stratum" is used to describe the hops from a device to an authority clock source. An NTP server whose stratum is 1
has a directly connected atomic clock or radio controlled clock; an NTP server whose stratum is 2 obtains time from the server
whose stratum is 1; an NTP server whose stratum is 3 obtains time from the server whose stratum is 2; and so on. Therefore,
clock sources with lower stratums have higher clock precisions.
Hardware Clock
Configuration Guide Configuring NTP
A hardware clock operates based on the frequency of the quartz crystal resonator on a device and is powered by the device
battery. After the device is shut down, the hardware clock continues running. After the device is started, the device obtains
time information from the hardware clock as the software time of the device.
Overview
Feature Description
NTP Time Network devices synchronize time with their servers or reliable clock sources to implement
Synchronization high-precision time correction.
NTP Security The NTP packet encryption authentication is used to prevent unreliable clock sources from time
Authentication synchronization interference on a device.
NTP Access Control An Access Control List (ACL) is used to filter sources of received NTP packets.
NTP time synchronization is implemented by interaction of NTP packets between a client and a server:
The client sends a time synchronization packet to all servers every 64 seconds. After receiving response packets from
the servers, the client filters and selects the response packets from all servers, and synchronizes time with an optimum
server.
After receiving the time synchronization request packet, a server uses the local clock as the reference source, and fills
the local time information into the response packet to be sent to the client based on the protocol requirement.
DEVICE-B (B for short) is used as an NTP reference clock source, DEVICE-A (A for short) is used as an NTP client that
synchronizes time with DEVICE-B. At a time point, the local clock of A is 19:00:00 and the local clock of B is 19:30:20.
1. A sends an NTP request packet. The local time (T0) when the packet leaves from A is 19:00:00 and is filled in Originate
Timestamp.
2. After a 2-second network delay, the local time (T1) when B receives the request packet is 19:30:23 and is filled in
Receive Timestamp.
Configuration Guide Configuring NTP
3. B processes the NTP request and sends an NTP response packet one second later. The local time (T2) when the
response packet leaves from B is 19:30:24 and is filled in Transmit Timestamp.
4. After a 2-second network delay, A receives the response packet. The local time (T3) when the response packet arrives at
A is 19:00:06.
A obtains the time difference of 30 minutes and 20 seconds between B and A by using the formula ((T1-T0)+(T2-T3))/2.
A obtains the packet round-trip delay of four seconds between A and B by using the formula (T3-T0)-(T2-T1).
In this mode, a device is used as both a server and a client. If receiving time synchronization requests from other clients, the
device must synchronize time with the specified server first and provide time synchronization for the clients after successful
synchronization.
In this mode, a device uses the default local clock as the reliable clock source and provides time synchronization directly for
other clients.
Related Configuration
Run the ntp server command to specify an NTP server (external clock reference source), which can enable NTP.
After the configuration, the device works in the external clock reference mode.
Real-time Synchronization
By default, a device does not update synchronized time to the hardware clock.
Run the ntp update-calendar command to enable a device to automatically update the hardware clock after
successfully synchronizing time each time.
Run the ntp master command to configure a device to the local clock reference mode.
Configuration Guide Configuring NTP
Working Principle
An NTP client and an NTP server are configured with the same key. When sending request and response packets, a device
calculates the hash values of the packets by using the MD5 algorithm based on the specified key and NTP packet content,
and fills the hash values into the packet authentication information. The receiving device checks whether the packets are sent
by a trusted device or modified based on the authentication information.
Related Configuration
Run the ntp authenticate command to enable the NTP security authentication mechanism.
Run the ntp authentication-key command to enable an NTP global authentication key.
Run the ntp trusted-key command to configure a device as the reference clock source to provide a trusted key for time
synchronization externally.
Run the ntp server command to specify an external reference source and the trusted key of this clock source as well.
Related Configuration
Run the ntp access-group command to configure the access control rights for NTP.
Configuration Guide Configuring NTP
3.4 Configuration
(Mandatory) It is used to enable NTP. After NTP is enabled, a device works in the
external clock reference mode.
Use a device as a client to synchronize time from an external reference clock source to the local clock.
After the time synchronization is successful, use the device as a time synchronization server to provide time
synchronization.
Use the local clock of a device as the NTP reference clock source to provide time synchronization.
Notes
In the client/server mode, a device can be used as a time synchronization server to provide time synchronization only
after successfully synchronizing time with a reliable external clock source.
Once the local clock reference mode is configured, the system will not synchronize time with a clock source with a higher
stratum.
Configuring a local clock as the master clock (especially when specifying a lower stratum) may overwrite an effective
clock source. If this command is used for multiple devices in a network, the clock difference between the devices may
cause unstable time synchronization of the network.
Before a local clock is configured as the master clock, if the system never synchronizes time with an external clock
source, you may need to manually calibrate the system clock to ensure that there is no excessive difference. For details
about how to manually calibrate the system clock, refer to the system time configuration section in the configuration
guide.
Configuration Steps
(Mandatory) At least one external reference clock source must be specified (A maximum of 20 different external
reference clock sources can be configured).
If it is necessary to configure an NTP key, you must configure NTP security authentication before configuring the NTP
server.
Optional.
By default, the system updates only the system clock, but not the hardware clock after successful time synchronization.
After this command is configured, the system automatically updates the hardware clock after successful time
synchronization.
To switch a device to the local clock reference mode, run this command.
Disabling NTP
To disable NTP and clear NTP configurations, run the no ntp command.
By default, all interfaces can receive NTP packets after NTP is enabled. To disable NTP for a specified interface, run the
ntp disable command.
Verification
Run the show ntp status command to display the NTP configuration.
Configuration Guide Configuring NTP
Run the show clock command to check whether time synchronization is completed.
Related Commands
Command ntp server{ ip-addr | domain | ip domain | ipv6 domain}[ version version][ source if-name][ key
keyid][ prefer]
Parameter ip-addr: Indicates the IPv4/IPv6 address of the reference clock source.
Description domain: Indicates the IPv4/IPv6 domain name of the reference clock source.
version: Indicates the NTP version number, ranging from 1 to 3.
if-name: Indicates the interface type, including AggregatePort, Dialer GigabitEthernet, Loopback, Multilink,
Null, Tunnel, Virtual-ppp, Virtual-template and Vlan.
keyid: Indicates the key used for communicating with the reference clock source, ranging from 1 to
4294967295.
prefer: Indicates whether the reference clock source has a high priority.
Command Global configuration mode
Mode
Usage Guide By default, no NTP server is configured. Ruijie client system supports interaction with up to 20 NTP servers.
You can configure an authentication key for each server (after configuring global authentication and the
related key) to initiate encrypted communication with the servers.
If it is necessary to configure an authentication key, you must configure NTP security authentication
before configuring an NTP server.
The default version of NTP for communicating with a server is NTP version 3. In addition, you can configure
the source interface for transmitting NTP packets and specify that the NTP packets from a corresponding
server can be received only on the transmitting interface.
Disabling NTP
Command no ntp
Parameter N/A
Description
Command Global configuration mode
Mode
Usage Guide This command can be used to fast disable all functions of NTP and clear all NTP configurations.
Configuration Example
Scenario
Figure 3-5
A(config)#exit
DEVICE-B
B#configure terminal
B(config)# exit
Configuration Guide Configuring NTP
DEVICE-C
C#configure terminal
C(config)# exit
Verification Run the show ntp status command on DEVICE-B to display the NTP configuration.
DEVICE-B sends a time synchronization packet to 192.168.1.1 in order to synchronize time with
DEVICE-A.
After successfully synchronizing time with DEVICE-A, DEVICE-B can respond to the time
synchronization request from DEVICE-C.
Run the show clock command on DEVICE-B and DEVICE-C to check whether the time
synchronization is successful.
Scenario
Figure 3-6
DEVICE-B configures the local clock as the NTP reference clock source.
DEVICE-C synchronizes time with DEVICE-B.
Configuration DEVICE-B configures the local clock as the NTP reference clock source.
Steps DEVICE-C configures DEVICE-B as the reference clock source.
DEVICE-B
B#configure terminal
B(config)# exit
DEVICE-C
C#configure terminal
C(config)# exit
Verification Run the show clock command on DEVICE-C to check whether the time synchronization is successful.
Use a device as a client to synchronize time only from a trusted external reference clock source to the local clock.
Use the local clock of a device as the NTP reference clock source to provide time synchronization for only a trusted device.
Configuration Guide Configuring NTP
Notes
The authentication keys of the client and server must be the same.
Configuration Steps
Mandatory.
Mandatory.
Optional.
To provide time synchronization for a trusted device, you must specify a trusted authentication key by using the key ID.
Only one trusted key can be configured. The specified authentication key must be consistent with that of the trusted
device.
Optional.
To synchronize time with a trusted reference clock source, you must specify a trusted authentication key by using the key
ID.
Each trusted reference clock source is mapped to an authentication key. The authentication keys must be consistent with
the keys of trusted reference clock sources.
Verification
Run the show clock command to check whether time is synchronized only with a trusted device.
Related Commands
mechanism is used, communication will not be encrypted. A global security indicator is not enough to imply
that the communication between the client and server is implemented in an encrypted manner. Other global
keys and an encryption key for the server must also be configured for initiating encrypted communication
between the client and server.
Configuration Example
Security Authentication
Scenario
Figure 3-7
DEVICE-B is configured to the NTP client/server mode and provides NTP services requiring security
authentication for DEVICE-C. The authentication key is "abcd".
DEVICE-A is used as the reference clock source of DEVICE-B.
DEVICE-C synchronizes time with DEVICE-B.
Configuration DEVICE-B configures DEVICE-A as the reference clock source.
Steps DEVICE-C configures DEVICE-B as the reference clock source.
Configuration Guide Configuring NTP
DEVICE-B
B#configure terminal
B(config)# exit
DEVICE-C
C#configure terminal
C(config)# exit
Verification DEVICE-B sends a time synchronization packet that carries authentication information to 192.168.1.1
in order to synchronize time with DEVICE-A.
Run the show clock command on DEVICE-B to check whether the time synchronization is successful.
Access control for NTP services provides a minimum security measure. A more secure method is to use an NTP
authentication mechanism.
Notes
Currently, the system does not support control query (used to control NTP servers by using network management
devices, such as setting the leap second indicator or monitoring its working status). Though rule matching is
implemented in the preceding sequence, no request related to control query is supported.
If no access control rule is configured, all accesses are allowed. If any access control rule is configured, only accesses
allowed by the rule can be implemented.
Related Configuration
Optional.
Run the ntp access-group command to configure the access control rights and a corresponding ACL for NTP.
Verification
Related Commands
Configuration Example
Configuration
Allow only the device with the IP address of 192.168.1.1 to send a time synchronization request to a local
Steps
device.
3.5 Monitoring
Displaying
Description Command
show ntp status Displays the current NTP information.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Configuration Guide Configuring NTP
Description Command
debug ntp Enables debugging.
no debug ntp Disables debugging.
Configuration Guide Configuring SNTP
4 Configuring SNTP
4.1 Overview
The Simple Network Time Protocol (SNTP) is a simplified version of Network Time Protocol (NTP), which is used to
synchronize the clocks of computers on the Internet. SNTP is applied in scenarios where it is unnecessary to use all
NTP functions.
NTP uses a complex algorithm and has higher requirements for the system whereas SNTP uses a simpler algorithm and
provides higher performance. Generally, SNTP precision can reach about 1s, which meets the basic requirements of most
scenarios. Since SNTP packets are the same as NTP packets, the SNTP client implemented on a device is fully compatible
with an NTP server.
RFC 2030: Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI
4.2 Applications
Application Description
Synchronizing Time with an NTP A device is used as a client to synchronize time with an NTP server.
Server
As shown in Figure 4-1, DEVICE-B uses a local clock as the NTP clock reference source and provides time synchronization
for DEVICE-C.
Figure 4-1
Deployment
4.3 Features
Basic Concepts
SNTP Packet
SNTPV4 is developed from NTP, which is intended to simplify the functions of NTP. It does not change the NTP specifications
and the original implementation of NTP. The message format of SNTPV4 is the same as that of NTP defined in RFC1305, with
only some data fields initialized into preset values.
As defined in RFC1305, SNTP uses User Datagram Protocol (UDP) packets for transmission and the used UDP port ID is
123.
00: indicates no warning information; 01: indicates that there are 61 seconds in the previous minute; 10: indicates that
there are 59 seconds in the previous minute; 11: indicates that the clock is not synchronized.
Version Number(VN): indicates a 3-bit NTP/SNTP version number. The current version number is 3.
0: indicates no definition; 1: indicates symmetric active; 2: indicates symmetric passive; 3: indicates a client; 4: indicates
a server; 5: indicates broadcasting; 6: indicates control information; 7: reserved.
Stratum: indicates the 8-bit stratum of a local clock. 0: indicates no definition; 1: indicates the master clock reference
source; other values: indicate slave clock reference sources.
Poll Interval: indicates the poll interval (seconds), which is a 8-bit integer.
Precision: indicates the time precision (seconds) of a local clock, which is a 8-bit integer.
Configuration Guide Configuring SNTP
Root Delay: indicates the round-trip time to the master clock reference source, which is a 32-bit integer.
Root Dispersion: indicates the largest difference from the master reference clock source, which is a 32-bit integer.
Reference Clock Identifier: indicates the 32-bit identifier of a reference clock source.
Reference Timestamp: indicates a 64-bit timestamp, namely, the time that is set or corrected at the last time.
Originate Timestamp: indicates a 64-bit timestamp, namely, the local time when a time synchronization request leaves
from a client.
Receive Timestamp: indicates a 64-bit timestamp, namely, the local time when a time synchronization request packet
arrives at a server.
Transmit Timestamp: indicates a 64-bit timestamp, namely, the local time when a time synchronization response packet
leaves from a server.
Overview
Feature Description
SNTP Time Synchronizes time from an SNTP/NTP server to a local device.
Synchronization
SNTP time synchronization is implemented by interaction of SNTP/NTP packets between a client and a server. The client
sends a time synchronization packet to the server at intervals (half an hour by default). After receiving a response packet from
the server, the client synchronizes time.
DEVICE-B (B for short) is used as an NTP reference clock source, DEVICE-A (A for short) is used as an SNTP client that
synchronizes time with DEVICE-B. At a time point, the local clock of A is 19:00:00 and the local clock of B is 19:30:20.
1. A sends an SNTP/NTP request packet. The local time (T0) when the packet leaves from A is 19:00:00 and is filled in
Originate Timestamp.
2. After a 2-second network delay, the local time (T1) when B receives the request packet is 19:30:23 and is filled in
Receive Timestamp.
3. B processes the NTP request and sends an NTP response packet one second later. The local time (T2) when the
response packet leaves from B is 19:30:24 and is filled in Transmit Timestamp.
4. After a 2-second network delay, A receives the response packet. The local time (T3) when the response packet arrives at
A is 19:00:06.
A obtains the time difference of 30 minutes and 20 seconds between B and A by using the formula ((T1-T0)+(T2-T3))/2.
A obtains the packet round-trip delay of four seconds between A and B by using the formula (T3-T0)-(T2-T1).
Related Configuration
Enabling SNTP
Run the sntp interval command to specify the time synchronization interval.
4.4 Configuration
An SNTP client accesses an NTP server at fixed intervals to correct the clock regularly.
Notes
All time obtained through SNTP communication is Greenwich Mean Time (GMT). To obtain precise local time, you need to set
the local time zone for alignment with GMT.
Configuration Steps
Enabling SNTP
Optional.
Verification
Related Commands
Enabling SNTP
Parameter ip-address: indicates the IP address of an SNTP server. No SNTP server is configured by default.
Description domain: domain name of the SNTP server. No SNTP server is configured by default.
source-ip-address: Indicates the source IP address.
Command Global configuration mode
Mode
Usage Guide Since SNTP is fully compatible with NTP, the server can be configured as a public NTP server on the
Internet.
Since SNTP packets are the same as NTP packets, the SNTP client is fully compatible with the NTP server.
There are many NTP servers on the Internet. You can select an NTP server with a shorter delay as the
SNTP server on your device.
The interval configured here does not take effect immediately. To make it take effect immediately, run
the sntp enable command.
Configuration Example
Scenario
Figure 4-4
C(config)# exit
Verification Run the show clock command on DEVICE-C to check whether the time synchronization is successful.
Run the show sntp command on DEVICE-C to display the SNTP status and check whether the server
is successfully configured.
Configuration Guide Configuring SNTP
4.5 Monitoring
Displaying
Description Command
show sntp Displays SNTP-related parameters.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
debug sntp Enables debugging.
Configuration Guide Configuring SPAN and RSPAN
5.1 Overview
The Switched Port Analyzer (SPAN) is to copy packets of a specified port to another switch port that is connected to a network
monitoring device, so as to achieve network monitoring and troubleshooting.
All input and output packets of a source port can be monitored through SPAN. For example, as shown in the following figure,
all packets on Port 5 are mapped to Port 10, and the network analyzer connected to Port 10 receives all packets that pass
through Port 5.
The SPAN function is mainly applied in network monitoring and troubleshooting scenarios, to monitor network information and
rectify network faults.
The Remote SPAN (RSPAN), an extension to SPAN, is capable of remotely monitoring multiple devices. Each RSPAN
session is established in a specified remote VLAN. RSPAN breaks through the limitation that a mirrored port and a mirroring
port must reside on the same device, and allows a mirrored port to be several network devices away from a mirroring port.
Users can observe data packets of the remote mirrored port by using an analyzer in the central equipment room.
The application scenarios of RSPAN are similar to those of SPAN. RSPAN allows users to conduct real-time data monitoring
without staying in the equipment room, providing great convenience for users.
VLAN SPAN (VSPAN) considers data streams of some VLANs as data sources and mirrors them to a destination port. The
configuration is similar to that of the port-based SPAN. VSPAN has the following features:
A VLAN that is not a remote VLAN can be specified as the data source of VSPAN.
Some VLANs that are not remote VLANs can be specified as the data sources of VSPAN.
When a VLAN is configured as a data source, packets only in the Rx direction can be mirrored.
Configuration Guide Configuring SPAN and RSPAN
5.2 Applications
Application Description
Stream-based SPAN Data streams with certain characteristics need to be monitored, for example, data
streams using a specified access control list (ACL) policy need to be monitored.
One-to-Many RSPAN Multiple users need to monitor data of the same port.
RSPAN Basic Applications Packets on the mirroring source device need to be mirrored to the destination device
for monitoring.
As shown in the following figure, the network analyzer can be configured to can monitor all data streams forwarded by Switch
A to Switch B and specific data streams of Switch B (for example, data streams from PC1 and PC2).
Deployment
In the preceding figure, configure the SPAN function on Switch A connected to the network analyzer, set port Gi 0/1
connected to Switch B as the SPAN source port, and set port Gi 0/2 that is directly connected to the network analyzer as
the SPAN destination port.
Configure stream-based SPAN (only data streams of PC1and PC2 are allowed) for the source port Gi 0/1 of SPAN.
Configuration Guide Configuring SPAN and RSPAN
As shown in the following figure, one-to-many RSPAN can be implemented on a single device, that is, both PC 1 and PC 2 can
be configured to monitor the transmitted and received traffic of the port connected to the server. Users can make proper
configuration (for example, remote VLAN and port MAC loopback) to monitor data streams that pass through port Gi 4/1 on
PC 1 and PC 2, thereby monitoring data streams of the server.
Deployment
Configure Switch A as the source device of RSPAN and configure the port Gi 4/1 that is directly connected to the server
as the RSPAN source port. Select a port that is in the Down state, Gi 4/2 in this example, as the RSPAN output port, add
this port to the remote VLAN, and configure MAC loopback (run the mac-loopback command in interface configuration
mode).
Add ports that are directly connected to PC 1 and PC 2 to the remote VLAN.
As shown in the following figure, the RSPAN function enables the network analyzer to monitor the STA connected to the
source device Switch A from the destination device Switch C through the intermediate device Switch B. The devices can
normally exchange data with each other.
Deployment
5.3 Features
Basic Concepts
SPAN Session
A SPAN session is data streams between the SPAN source port and the destination port, which can be used to monitor the
packets of one or more ports in the input, output, or both directions. Switched ports, routed ports, and aggregate ports (APs)
can be configured as source ports or destination ports of SPAN sessions. Normal operations on a switch are not affected after
ports of the switch are added to a SPAN session.
Users can configure a SPAN session on a disabled port but the SPAN session is inactive. A SPAN session is in the active
state only after the port on which the SPAN session is configured is enabled. In addition, a SPAN session does not take effect
after a switch is powered on. It is active only after the destination port is in the operational state. Users can run the show
monitor [ session session-num] command to display the operation status of a SPAN session.
Input data streams: All packets received by a source port are copied to the destination port. Users can monitor input
packets of one or more source ports in a SPAN session. Some input packets of a source port may be discarded for some
reasons (for example, for the sake of port security). It does not affect the SPAN function and such packets are still
mirrored to the destination port.
Configuration Guide Configuring SPAN and RSPAN
Output data streams: All packets transmitted by a source port are copied to the destination port. Users can monitor
output packets of one or more source ports in a SPAN session. Packets transmitted from other ports to a source port
may be discarded for some reasons and such packets will not be transmitted to the destination port. The format of output
packets of a source port may be changed for some reasons. For example, after routing, packets transmitted from the
source port are changed in source MAC addresses, destination MAC addresses, VLAN IDs, and TTLs, and their formats
are also changed after copied to the destination port.
Bidirectional data streams: Bidirectional data streams include input data streams and output data streams. In a SPAN
session, users can monitor data streams of one or more source ports in the input and output directions.
Source Port
A source port is called a monitored port. In a SPAN session, data streams of the source port are monitored for network
analysis and troubleshooting. In a single SPAN session, users can monitor the input, output, and bidirectional data streams,
and the number of source ports is not restricted.
A source port and a destination port can belong to the same VLAN or different VLANs.
Destination Port
A SPAN session has one destination port (called a monitoring port) for receiving packets copied from a source port.
CPU SPAN
CPU SPAN is to monitor packets transmitted from the CPU. Common SPAN monitors forwarded packets of a source port,
excluding packets that are actively transmitted by the CPU to the source port. For example, for packets generated when a
device actively pings another device, common SPAN cannot monitor the ping packets on the transmit device, unless the port
of the receive device is configured as a source port for monitoring. CPU SPAN can directly monitor such packets generated
when a device actively pings another device.
CPU SPAN can be configured separately, that is, only packets transmitted by the CPU are monitored.
CPU SPAN can be configured together with common SPAN, that is, common mirrored packets and CPU packets are
monitored.
Overview
Feature Description
Configuration Guide Configuring SPAN and RSPAN
5.3.1 SPAN
SPAN is used to monitor data streams on switches. It copies frames on one port to another switch port that is connected to a
network analyzer or RMON analyzer so as to analyze the communication of the port.
Working Principle
When a port transmits or receive packets, SPAN, after checking that the port is configured as a SPAN source port, copies the
packets transmitted and received by the port to the destination port.
Users need to specify a SPAN session ID and source port ID to configure a SPAN source port, and set the optional SPAN
direction item to determine the direction of SPAN data streams or specify an ACL policy to mirror specific data streams.
Users need to specify a SPAN session ID and destination port ID to configure a SPAN destination port, and set the optional
switching function item to determine whether to enable the switching function and tag removal function on the SPAN
destination port.
Related Configuration
The SPAN function is disabled by default. It is enabled only after a session is created, and the SPAN source and destination
ports are configured. A SPAN session can be created when a SPAN source port or destination port is configured.
A SPAN session does not have a SPAN source port by default. Users can run the following command to configure a SPAN
source port:
session-num: Indicates the SPAN session ID. The number of supported SPAN sessions varies with products.
rx: Indicates that only packets received by the source port are monitored after rx is configured.
tx: Indicates that only packets transmitted by the source port are monitored after tx is configured.
both: Indicates that packets transmitted and received by the source port are copied to the destination port for monitoring after
both is configured, that is, both includes rx and tx. If none of rx, tx, and both is selected, both is enabled by default.
acl: Specifies an ACL policy. After this option is configured, packets allowed by the ACL policy on the source port are
monitored. This function is disabled by default.
A SPAN session does not have a SPAN destination port by default. Users can run the following command to configure a
SPAN destination port:
switch: Indicates that the SPAN destination port only receives packets mirrored from the SPAN source port and discards
other packets if this option is disabled, and receives both packets mirrored from the SPAN source port and packets from
non-source ports if this option is enabled, that is, the communication between this destination port and other devices is not
affected.
When the SPAN destination port is configured, the relevant function is disabled by default if encapsulation replicate or
switch is not configured.
This function is disabled by default. Users can run the monitor session session-num source interface interface-id rx acl
acl-name command to configure stream-based SPAN.
The SPAN destination port is used for the Spanning Tree Protocol (STP) calculation.
If a source port or destination port is added to an AP, the source port or destination port exits from a SPAN session.
If a VLAN (or VLAN list) is used as a SPAN source, ensure that the destination port has sufficient bandwidth for receiving
mirrored data of the VLAN (or VLAN list).
Not all products support all options of the preceding commands because of product differences.
5.3.2 RSPAN
RSPAN is capable of monitoring multiple devices. Each RSPAN session is established in a specified remote VLAN. RSPAN
breaks through the limitation that a mirrored port and a mirroring port must reside on the same device, and allows a mirrored
port to be several network devices away from a mirroring port.
Working Principle
A remote VLAN is created for the source device, intermediate device, and destination device, all ports involved in an RSPAN
session need to be added to the remote VLAN. Mirrored packets are broadcasted in the remote VLAN so that they are
transmitted from the source port of the source switch to the destination port of the destination switch.
Packets from an RSPAN source port are broadcasted in a remote VLAN so as to be copied from the local switch to the remote
switch. The RSPAN source port, output port, reflection port, transparent transmission ports of the intermediate device (packet
input port and output port of the intermediate device), destination port and input port of the destination port must be added to
the remote VLAN. The RSPAN function requires configuring a VLAN as a remote VLAN in VLAN mode.
Configuration Guide Configuring SPAN and RSPAN
The configuration of the RSPAN source port and destination port are similar to that of the SPAN source port and destination
port, but the mirroring session ID specified during configuration must be the ID of an RSPAN session.
The configuration of an RSPAN source port is the same as that of a SPAN source port, but the specified mirroring session ID
must be the ID of an RSPAN session.
The output port is located on the source device and must be added to a remote VLAN. Mirrored packets of a source port are
broadcasted in this remote VLAN. The source device transmits packets to the intermediate switch or destination switch
through the output port.
When an RSPAN destination port is configured, an RSPAN session ID, remote VLAN, and port name must be specified so
that packets from the source port are copied to the destination port through the remote VLAN.
RSPAN is an extension to SPAN and also supports stream-based mirroring. The configuration is the same as that of
stream-based SPAN. Stream-based RSPAN does not affect normal communication.
Users can configure an ACL in the input direction of a source port on an RSPAN source device. Standard ACLs, extended
ACLs, MAC ACLs, and user-defined ACLs are supported.
Users can configure a port ACL in the input direction of a source port on an RSPAN source device, and configure a port ACL
in the output direction of the destination port on the RSPAN destination device. Users can also configure an ACL in the output
direction of a remote VLAN on an RSPAN source switch and configure an ACL in the input direction of the remote VLAN on
the RSPAN destination switch.
If data streams of one source port need to be mirrored to multiple destination ports, users can configure an RSPAN session,
configure the source port of the RSPAN session as a one-to-many mirroring source port and select another Ethernet port as
the forwarding port (output port on the source device).In addition, the MAC loopback function needs to be configured on the
RSPAN forwarding port in interface configuration mode, the expected RSPAN output port and RSPAN forwarding port need to
be added to the remote VLAN. Then, mirrored packets are looped back on the RSPAN forwarding port and then broadcasted
in the remote VLAN, thereby implementing one-to-many RSPAN.
Related Configuration
The RSPAN function is disabled by default. It is enabled only after an RSPAN session is created, and a remote VLAN, RSPAN
source port, and RSPAN destination port are configured.
No remote VLAN is specified for RSPAN by default. Users can run the remote-span command in VLAN mode to configure a
VLAN as a remote VLAN. One remote VLAN corresponds to one RSPAN session.
This function is disabled by default. Users can run the monitor session session-numremote-source command in global
configuration mode to configure a device as the remote source device of a specified RSPAN session.
This function is disabled by default. Users can run the monitor session session-numremote-destination command in global
configuration mode to configure a device as the remote destination device of a specified RSPAN session.
A source port of an RSPAN session is configured on the source device. The configuration is the same as that of a SPAN
source port but an RSPAN session ID needs to be specified. This function is disabled by default.
This function is disabled by default. Users can run the monitor session session-num destination remote vlan remote-vlan
interface interface-name [ switch ] command in global configuration mode to configure an output port on the RSPAN source
device. If the option switch is configured, the output port can participate in normal data packet switching. It is not configured
by default. The output port must be added to a remote VLAN.
This function is disabled by default. Users can run the monitor session session-num destination remote vlan remote-vlan
interface interface-name [ switch ] command in global configuration mode to configure a destination port on the RSPAN
destination device. If the option switch is configured, the destination port can participate in normal data packet switching. It is
not configured by default. The destination port must be added to a remote VLAN.
A remote VLAN must be configured on each device, their VLAN IDs must be consistent, and all ports that participate in a
session must be added to the VLAN.
Do not configure a port that is connected to an intermediate switch or destination switch as an RSPAN source port.
Otherwise, traffic on the network may be in chaos.
5.4 Configuration
Configures an RSPAN
monitor session session-num remote-source session ID and specifies
a source device.
Configures an RSPAN
monitor session session-num remote-destination session ID and specifies
a destination device.
Configuring
Configures a remote
RSPAN Basic remote-span
VLAN.
Functions
Configures an RSPAN
monitor session session-num source interface interface-id [ both | rx | tx ]
source port.
Configures an output
port on the RSPAN
monitor session session-num destination remote vlan remote-vlan-id source device or a
interface interface-id [ switch ] destination port on the
RSPAN destination
device.
Configure a destination port to monitor any packets transmitted and received by a source port.
Notes
If a source port or destination port is added to an AP, the source port or destination port exits from a SPAN session.
If the switch function is disabled on a SPAN destination port, the destination port receives only mirrored packets and
discards other packets that pass through the port. After the switch function is enabled, the destination port can receive
non-mirrored packets.
Configuration Guide Configuring SPAN and RSPAN
Configuration Steps
You can configure a SPAN session when configuring a SPAN source port or destination port, or when configuring a
specified VLAN or some VLANs as a data source or data sources of SPAN.
You can select the SPAN direction when configuring a SPAN source port. The both direction is configured by default,
that is, both transmitted and received packets are monitored.
A SPAN session is active only when a SPAN source port is configured (or a VLAN is specified as the data source of
SPAN) and a SPAN destination port is configured.
Verification
Run the show monitor command or the show running command to verify the SPAN configuration. Alternatively,
conduct packet capture analysis on the SPAN destination port and check whether the SPAN function takes effect
according to the captured packets.
Related Commands
default.
Command Global configuration mode
Mode
Usage Guide N/A
Configuration Example
Scenario
Figure 5-5
Configuration As shown in Figure 5-5, add ports Gi 0/1 and Gi 0/2 of Device A to VLAN 1.
Steps Create SVI 1 and set the address of SVI 1 to 10.10.10.10/24.
Set IP addresses of PC 1 and PC 2 to 10.10.10.1/24 and 10.10.10.2/24 respectively.
Configure SPAN for Device A and configure ports Gi 0/1 and Gi 0/2 as the source port and destination
port of SPAN respectively.
A
Ruijie# configure
Ruijie(config)# vlan 1
Ruijie(config-vlan)# exit
Verification Run the show monitor command to check whether SPAN is configured correctly. After successful
configuration, PC 1 sends ping packets to SVI 1 and PC 2 conducts monitoring by using the packet capture
tool.
A
Ruijie# show monitor
sess-num: 1
span-type: LOCAL_SPAN
src-intf:
dest-intf:
GigabitEthernet 0/2
Common Errors
The session ID specified during configuration of the SPAN source port is inconsistent with that specified during
configuration of the SPAN destination port.
Configuration Guide Configuring SPAN and RSPAN
Packet loss may occur if packets of a port with large bandwidth are mirrored to a port with small bandwidth.
Configure a source port and destination port on the source device of an RSPAN session and configure the destination
port on the destination device.
Configure the destination port on the RSPAN destination device to monitor any packets that are transmitted or received
by the source port.
Notes
If a source port or destination port is added to an AP, the source port or destination port exits from a SPAN session.
If the switch function is disabled on an RSPAN destination port, the destination port receives only mirrored packets and
discards other packets that pass through the port. After the switch function is enabled, the destination port can receive
non-mirrored packets.
A remote VLAN must be created on an intermediate device and transparent transmission ports must be added to the
remote VLAN.
Configuration Steps
The same session ID needs to be configured on the RSPAN source device and RSPAN destination device.
Complete the configuration on an RSPAN source device. After configuration, RSPAN monitoring can be conducted on
packets of the RSPAN source port. You can specify RSPAN to monitor remote VLAN packets in the input direction,
output direction, or both directions of the RSPAN source port.
Complete the configuration on an RSPAN source device. After configuration, mirrored packets received by the ports
added to the remote VLAN can be transmitted to the RSPAN destination device through the output port.
The loopback port and output port are required for the one-to-many RSPAN, while the one-to-one RSPAN requires only
output port.
Complete the configuration on the RSPAN destination device. After configuration, the RSPAN destination device
forwards mirrored packets received by the ports added to the remote VLAN to the monitoring device through the
destination port.
Verification
Run the show monitor command or the show running command to check whether RSPAN is successfully configured
on each device, or conduct packet capture on the destination mirroring port on the RSPAN destination device to check
whether packets mirrored from the source port of the RSPAN source device are captured.
Related Commands
Command remote-span
Parameter N/A
Description
Command VLAN mode
Configuration Guide Configuring SPAN and RSPAN
Mode
Usage Guide N/A
Command monitor session session-num source interface interface-id [ both | rx | tx ][acl acl-name]
Parameter session-num: Indicates the ID of an RSPAN session.
Description interface-id: Indicates the interface ID.
both: Indicates that packets in the input and output directions are monitored. It is the default value.
rx: Indicates that packets in the input direction are monitored.
tx: Indicates that packets in the output direction are monitored.
acl-name: Indicates an ACL name.
Command Global configuration mode
Mode
Usage Guide The configuration is the same as that of a SPAN source port but an RSPAN session ID needs to be
specified.
Command monitor session session-num destination remote vlan remote-vlan interface interface-id [ switch ]
Parameter session-num: Indicates the ID of an RSPAN session.
Description remote-vlan: Indicates a remote VLAN.
interface-id: Indicates the interface ID.
switch: Indicates whether the port participates in packet switching.
Command Global configuration mode
Mode
Usage Guide The loopback port and output port are required for the one-to-many RSPAN, while the one-to-one RSPAN
requires only output port.
Command monitor session session-num destination remote vlan remote-vlan interface interface-id [ switch ]
Parameter session-num: Indicates the ID of an RSPAN session.
Description remote-vlan: Indicates a remote VLAN.
interface-id: Indicates the interface ID.
switch: Indicates whether the port participates in packet switching.
Command Global configuration mode
Mode
Usage Guide N/A
Configuration Example
Configuring RSPAN
Configuration Guide Configuring SPAN and RSPAN
Scenario
Figure 5-6
Configuration As shown in the preceding figure, configure a remote VLAN on the source device Switch A,
Steps intermediate device Switch B, and destination device Switch C.
Configure the RSPAN source device, specify the source port, output port and loopback port on Switch
A.
Add ports Gi0/1 and Gi0/2 to the remote VLAN on Switch B.
Configure the RSPAN destination device and specify the destination port on Switch C.
A
Ruijie# configure
Ruijie(config)# vlan 7
Ruijie(config-vlan)# remote-span
Ruijie(config-vlan)# exit
Ruijie(config-if)# mac-loopback
Ruijie(config-if)# exit
B, C
Ruijie(config)# vlan 7
Ruijie(config-vlan)# remote-span
Ruijie(config-vlan)# exit
Verification Run the show monitor command or the show running command on Switch A, Switch B, and Switch C to
check whether RSPAN is configured successfully.
A
Ruijie# show monitor
sess-num: 1
span-type: SOURCE_SPAN
src-intf:
dest-intf:
GigabitEthernet 0/2
Remote vlan 7
mtp_switch on
B
!
vlan 1
remote-span
C
Ruijie# show monitor
sess-num: 1
span-type: DEST_SPAN
dest-intf:
GigabitEthernet 0/2
Configuration Guide Configuring SPAN and RSPAN
Remote vlan 7
mtp_switch on
Common Errors
A remote VLAN must be configured on the source device, intermediate device, and destination device, and their VLAN
IDs must be consistent.
Packet loss may occur if packets of a port with large bandwidth are mirrored to a port with small bandwidth.
One MAC loopback port and multiple output ports need to be configured to implement one-to-many RSPAN.
5.5 Monitoring
Displaying
Description Command
Displays all mirroring sessions show monitor
existing in the system.
Displays a specified mirroring show monitor session session-id
session.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs SPAN. debug span
Configuration Guide Configuring ERSPAN
6 Configuring ERSPAN
6.1 Overview
Encapsulated Remote Switched Port Analyzer (ERSPAN) is an extension to Remote Switched Port Analyzer (RSPAN). SPAN
data packets of common RSPANs can be transmitted only within Layer 2 and cannot pass through routing networks. However,
an ERSPAN can transmit SPAN packets between routing networks.
An ERSPAN encapsulates all SPAN packets into IP packets through a generic routing encapsulation (GRE) tunnel, and routes
them to the destination port of an RSPAN device. The following figure shows the topology of a typical application:
There are two kinds of roles played by the devices in the figure:
Source switch: A source switch refers to the switch where the ERSPAN source port resides. It copies the packets on the
source port, outputs the copies from the output port, encapsulates them into IP packets, and forwards the IP packets to
the destination switch.
Destination switch: A destination switch refers to the switch where the ERSPAN destination port resides. It puts the
received SPAN packets through the SPAN destination port, decapsulates them into GRE packets, and then forwards the
GRE packets to the monitoring device.
To implement ERSPAN, the GRE-encapsulate IP packets must be able to be normally routed to the destination SPAN device.
6.2 Applications
Application Description
Basic ERSPAN Applications Packets on the SPAN source device need to be mirrored to the destination device for
monitoring.
Configuration Guide Configuring ERSPAN
As shown in the following figure, ERSPAN enables the network analyzer to monitor the users connected to the source device
Switch A. The devices can normally exchange data with each other.
Deployment
On Switch A, configure the port directly connected to users (Gi 0/1) as a source port, and configure the port connected to
Switch B (Gi 0/2) as an output port.
On Switch B, the ports connected to Switch A and Switch C (Gi 0/1 and Gi 0/2) are respectively member interfaces of
switch virtual interface (SVI) interfaces of two network segments, ensuring interworking between the two IP network
segments.
6.3 Features
Basic Concepts
ERSPAN Session
SPAN data packets of common RSPANs can be transmitted only within Layer 2 and cannot pass through routing networks.
However, ERSPAN mirroring allows SPAN packets to be transmitted between routing networks. An ERSPAN encapsulates all
SPAN packets into IP packets through a GRE tunnel, and routes them to the destination port of an RSPAN device. An
ERSPAN can monitor input, output, and bidirectional packets of one or more ports. Ports such as a switched port, routed port
and aggregate port (AP) can be configured as a source port for an ERSPAN session. The switch is not affected after the port
is added to an ERSPAN session.
Configuration Guide Configuring ERSPAN
Source Port
A source port is also called a monitored port. In an ERSPAN session, data streams of the source port are monitored for
network analysis and troubleshooting. In a single ERSPAN session, users can monitor the input, output, and bidirectional data
streams, and the number of source ports is not limited. A source port has the following features:
It supports mirroring of multiple source ports on the source device to the designated output ports.
The source port and output port cannot be on the same port; when the SPAN source port is a Layer-3 interface, both
Layer-2 and Layer-3 packets are monitored.
When multiple ports are bidirectionally monitored, a packet is input from a port and output from the other. Such
monitoring is considered correct if only one packet is monitored.
When the status of enabled Spanning Tree Protocol (STP) port is in block state, the input and output packets on the port
can be monitored;
Source port and destination port can belong to the same VLAN or different VLANs.
Overview
Feature Description
ERSPAN Configures SPAN on different Internet ports.
6.3.1 ERSPAN
Encapsulated ERSPAN is an extension of RSPAN. SPAN data packets of common RSPANs can be transmitted only within
Layer 2 and cannot pass through routing networks. However, an ERSPAN can transmit SPAN packets between routing
networks.
Working Principle
All the mirrored packets are encapsulated into IP packets through a GRE tunnel, and routed to the destination port of an
RSPAN device.
Configure ERSPAN of the switch, and distinguish between attributes of ERSPAN switch of the device. You need to designate
an ERSPAN session ID, and enter the ERSPAN configuration mode after configuration succeeds.
After entering the ERSPAN configuration mode, you need to name the source port to configure the SPAN source port, and
determine the direction of SPAN data streams according to optional configurations of SPAN direction.
By default, enabling an ERSPAN session is to enable ERSPAN mirroring. Only enabled ERSPAN sessions take effect.
Encapsulating an origin IP address aims to configure the origin IP address of an encapsulated GRE packet.
Encapsulating a destination IP address aims to configure the destination IP address of an encapsulated GRE packet and
ensure normal routing of SPAN packets on the network.
Encapsulating IP TTL/DSCP
Encapsulate Time to Live (TTL) and Differentiated Services Code Point (DSCP) values of IP packets.
Related Configuration
By default, an SPAN is disabled. It is enabled only after a session is created, and source SPAN port, origin IP and destination
IP addresses are configured.
Wherein,
session-num: Indicates that the number of SPAN sessions supported by SPAN session IDs varies with products.
rx: Indicates that only the packets received by the source port are monitored after rx is configured.
tx: Indicates that only the packets sent from the source port are monitored after tx is configured.
both: Indicates that after both is configured, the packets sent and received by the source port are transmitted to the
destination port to be monitored; that is to say, both includes rx and tx. If none of rx, tx, or both is configured, both is enabled
by default.
The function is disabled by default.Run the Ruijie(config-mon-erspan-src)# source interface interface-id rx acl acl-name
Wherein,
ip-address: Encapsulates the destination IP address.
Encapsulating IP TTL
Encapsulating IP DSCP
Confirm the Layer-3 routing connectivity from source switch to destination switch.
If a source port or destination port is added to an AP, the source port or destination port egresses an ERSPAN session.
As a result of product differences, not all products support all options of the above-mentioned commands.
6.4 Configuration
monitor session
Configures an ERSPAN session ID, and enters the
erspan_source_session_number
Configuring configuration mode of the source ERSPAN device.
erspan-source
Basic ERSPAN
source interface single_interface {[ rx | tx | Associates the source ERSPAN port, and selects an
Functions
both ]} SPAN direction.
source interface single_interface rx acl Configures the stream-based SPAN source for
acl-name ERSPAN.
shutdown Disables ERSPAN mirroring.
Configuration Guide Configuring ERSPAN
Notes
If a source port is added to an AP, the source port egresses an ERSPAN session.
The Layer-3 routing connectivity from source switch to destination switch must be ensured.
Configuration Steps
ERSPAN Session
The session ID configured with local SPAN or RSPAN cannot be used for an ERSPAN session. Enter the ERSPAN
mode after configuration.
Source Port
An SPAN direction can be selected during configuration of the SPAN source port. The direction is both by default; that is,
both reception and transmission of packets are monitored.
By default, enabling an ERSPAN session is to enable ERSPAN mirroring. Only enabled ERSPAN sessions take effect.
Encapsulating IP TTL/DSCP
Verification
Run the show monitor command or the show running command to verify the SPAN configuration. You can also
conduct packet capture analysis on the SPAN destination port and check whether SPAN takes effect according to the
captured packets.
Related Commands
Command shutdown
Parameter
Description
Command ERSPAN session mode
Mode
Usage Guide N/A
Encapsulating IP TTL
Encapsulating DSCP
Configuration Example
Scenario
Figure 6-3
Configuration As shown in Figure 6-3, on Switch A, create ERSPAN Session 1 and configure it as the source device,
Steps and configure Gi 0/1 as the source port.
Verification
Step 1: Check the configuration of the device.
SwitchA#show running-config
SwitchA#show monitor
Configuration Guide Configuring ERSPAN
GigabitEthernet 0/2
ip ttl 64
ip dscp 0
Common Errors
The session ID used to configure ERSPAN mirroring is configured with RSPAN or LOCAL SPAN.
Layer-3 routing interworking between source switch and destination switch fails.
6.5 Monitoring
Displaying
Description Command
Displays all SPAN sessions in the show monitor
system.
Displays specific SPAN sessions. show monitor session session-id
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs SPAN. debug span
Configuration Guide Configuring sFlow
7 Configuring sFlow
7.1 Overview
sFlow is a network monitoring technology jointly developed by InMon, HP, and FoundryNetworks in 2001. This technology has
been standardized. It can provide complete traffic flows of Layer 2 to Layer 4, and it is applicable to traffic analysis in the
extra-large network. This technology helps users analyze the performance, trend, and existence of network traffic flows in a
detailed manner in real time.
Accurate: sFlow supports accurate monitoring of traffic on a Gigabit network or a network with higher bandwidth.
Scalable: One sFlow Collector can monitor thousands of sFlow Agents, and it has high scalability.
Low cost: sFlow Agent is embedded in a network device, and its cost is low.
Protocol Specification
sFlow Version 5
RFC 1014
7.2 Applications
As shown in Figure 7-1, start switch A that serves as an sFlow Agent, enable flow sampling and counter sampling on port Te
0/1, monitor the traffic in the 192.168.1.0 network segment, encapsulate the sampling data into sFlow datagrams at regular
intervals or when the buffer is full, and sent the sFlow data to the sFlow Collector for traffic analysis.
Figure 7-1
Configuration Guide Configuring sFlow
Function Deployment
Lots of server software supports sFlow. You can obtain software supporting sFlow at
http://www.sflow.org/products/collectors.php. The software sflowtrend is free of charge.
7.3 Features
Basic Concepts
sFlow Agent
sFlow Agent is embedded in a network device. Generally, one network device can serves as an sFlow Agent. sFlow Agent can
perform flow sampling and counter sampling, encapsulate sampled data into sFlow datagrams, and send the sFlow
datagrams to the sFlow Collector.
sFlow datagrams are encapsulated in UDP. Figure 7-2 shows the sFlow datagram format.
One sFlow datagram may contain one or multiple flow samples and counter samples.
Field Description
Switch uptime Duration from the startup time of the switch to the current time
sFlow Collector
sFlow Collector receives and analyzes the sFlow datagram sent from the sFlow Agent. sFlow Collector may be a PC or server.
A PC or server installed with the application software for sFlow datagram analysis can be regarded as an sFlow Collector.
Flow Sampling
Based on the specified sampling rate, the sFlow Agent device performs flow sampling on the traffic flowing through an
interface, including copying the header of the packet, extracting the Ethernet header and IP header of the packet, and
obtaining the route information of the packet.
Counter Sampling
In counter sampling, an sFlow Agent periodically obtains the statistics and CPU usage on a specified interface. The statistics
on the interface include the number of packets input through the interface and the number of packets output through the
interface.
Configuration Guide Configuring sFlow
Feature Description
Flow Sampling Sample the traffic flowing through the interface, and send the encapsulated sFlow datagram to the
sFlow Collector for analysis.
Counter Sampling Periodically send the statistics on the interface to the sFlow Collector for analysis.
Working Principle
Based on the specified sampling rate, the sFlow Agent device performs flow sampling on the traffic flowing through an
interface, including copying the header of the packet, extracting the Ethernet header and IP header of the packet, and
obtaining the route information of the packet. Then, the sFlow Agent encapsulates the flow sampling data into an sFlow
datagram and sends the datagram to the sFlow Collector for analysis.
Working Principle
The sFlow Agent performs interface polling on a regular basis. For an interface whose counter sampling interval expires, the
sFlow Agent obtains the statistics on this interface, encapsulates the statistics into an sFlow datagram, and sends the
datagram to the sFlow Collector for analysis.
7.4 Configuration
sFlow Agent and sFlow Collector can communicate with each other.
Traffic flowing through the interface are sampled based on the default sampling rate and sent to the sFlow Collector for
analysis.
Statistics of the interface are periodically sent to the sFlow Collector based on the default sampling interval for analysis.
Configuration Guide Configuring sFlow
Notes
To enable the sFlow Collector to analyze the flow sampling results, the IP address of the sFlow Collector on the sFlow
Agent device is required.
Configuration Steps
Mandatory configuration.
Use the sflow agent address command to configure the address of the sFlow Agent.
The sFlow Agent address must be a valid address. That is, the sFlow Agent address must not be a multicast or
broadcast address. It is recommended that the IP address of the sFlow Agent device be used.
Command sflow agent { address {ip-address | ipv6 ipv6-address }} | { interface { interface-name | ipv6
interface-name }}
Parameter address: Configures the IP address of the sFlow agent.
Description ip-address: sFlow Agent IPv4 address
ipv6 ipv6-address: sFlow Agent IPv6 address
interface: Configures the interface of the sFlow agent.
interface-name: Interface of IPv4 address.
ipv6 interface-name: Interface of IPv6 address.
Defaults No sFlow Agent address is configured by default
Command Global configuration mode
Mode
Configuration This command is used to configure the Agent IP address field in the output sFlow datagram. The datagram
Usage not configured with this filed cannot be output. The sFlow Agent address shall be a host address. When a
non-host address (for example, a multicast or broadcast address) is configured as the sFlow Agent address,
a message indicating configuration failure is displayed. It is recommended that the IP address of the sFlow
Agent device be configured as the sFlow Agent address.
Mandatory configuration.
Use the sflow collector command to configure the address of the sFlow Collector.
The sFlow Collector address must be a valid address. That is, the sFlow Collector address must not be a multicast or
broadcast address. sFlow Collector must exist, and the route to it must be reachable.
Mandatory configuration.
You can use the sflow flow collector command to enable the sFlow Agent to send flow samples to the sFlow Collector.
This function must be enabled on the interface to send flow samples to the sFlow Collector. In addition, sFlow Collector
must exist, the route to it must be reachable, and the IP address of the corresponding sFlow Collector has been
configured on the sFlow Agent device.
Mandatory configuration.
You can use the sflow counter collector command to enable the sFlow Agent to send counter samples to the sFlow
Collector.
This must be enabled on the interface to send counter samples to the sFlow Collector. In addition, sFlow Collector must
exist, the route to it must be reachable, and the IP address of the corresponding sFlow Collector has been configured on
the sFlow Agent device.
Mandatory configuration.
You can use the sflow enable command to enable the flow sampling and counter sampling on an interface.
The forwarding performance of an interface may be affected after flow sampling is enabled.
Verification
Use the show sflow command to display the sFlow configuration, and check whether the displayed information is
consistent with the configuration.
Configuration Examples
Scenario
Figure 7-6
As shown in Figure 7-6, start switch A that serves as the sFlow Agent, enable flow sampling and counter
sampling on port Te 0/1, monitor the traffic in the 192.168.1.0 network segment, encapsulate the sampling
traffic into sFlow datagrams at regular intervals or when the buffer is full, and send the sFlow datagrams to
the sFlow Collector for traffic analysis.
Configuration Guide Configuring sFlow
Verification Use the show sflow command to check whether the command output is consistent with the configuration.
Global information:
sflow sampling-rate:8192
Collector information:
2 NULL 0 1400
Port information
TenGigabitEthernet 0/1 1 1 Y
The preceding figure shows the Top N page of the sFlowTrend software. This page displays the flow
sampling results and displays the top 5 source IP addresses that involve the largest traffic. The total
incoming traffic is about 450 Kpps and the total outgoing traffic is 450 Kpps, which are consistent with the
actual traffic.
The preceding figure shows the counters page of the sFlowTrend software. This page displays the counter
Configuration Guide Configuring sFlow
sampling results. The incoming traffic is 450 Kpps and the outgoing traffic is also 450 Kpps. In addition, all
packets are unicast packets.
You can adjust the data sampling accuracy by modifying relevant parameter attributes of sFlow.
Notes
The forwarding performance may be affected when the sampling rate is too low.
Configuration Steps
Optional configuration.
You can use the sflow collector command to configure the length of the sFlow datagram, excluding the Ethernet header,
IP header, and UDP header. An sFlow datagram may contain one or multiple flow samples and counter samples.
Configuration of the output sFlow datagram's maximum length may lead to the result that the number of sFlow
datagrams output during processing of a certain number of flow samples differs from the number of sFlow datagrams
output during processing of the same number of counter packets. If the maximum length is greater than MTU, the output
sFlow datagrams will be segmented.
Optional configuration.
You can use the sflow sampling-rate command to configure the global flow sampling rate.
Configuration of flow sampling rate my affect the sFlow sampling accuracy. A lower sampling rate means a higher
accuracy and larger CPU consumption. Therefore, the forwarding performance of the interface may be affected when the
sampling rate is low.
Configuring the Maximum Length of the Packet Header Copied During Flow Sampling
Optional configuration.
You can use the sflow flow max-header command to configure the length of the packet header copied during flow
sampling globally.
Users can use this command to modify the datagram information to be sent to the sFlow Collector. For example, if a user
concerns about the IP header, this user can configure the length to 56 bytes. During encapsulation of flow samples, the
first 56 bytes of the sample packet are copied to the sFlow datagram.
Optional configuration.
You can use the sflow counter interval command to configure the global counter sampling interval.
Enable the counter sampling interface to send the statistics on it to the sFlow Collector at the sampling interval.
Verification
Check whether an sFlow datagram with the flow samples is received on the sFlow Collector.
Use the show sflow command to display the sFlow configuration, and check whether the displayed information is
consistent with the configuration.
Configuration Examples
Global information:
sflow sampling-rate:4096
Collector information:
2 NULL 0 1400
Port information
TenGigabitEthernet 0/1 0 1 Y
Configuration Guide Configuring sFlow
7.5 Monitoring
Displaying
Function Command
Displays the sFlow configuration. show sflow
Configuring Multicast
1. Configuring IGMP Snooping
2. Configuring IP Multicasting
Configuration Guide Configuring IGMP Snooping
1.1 Overview
Internet Group Management Protocol (IGMP) snooping is a mechanism of listening to IP multicast. It is used to manage and
control the forwarding of IP multicast traffic within VLANs, realizing Layer-2 multicasting.
As shown in the following figure, when a Layer-2 device is not running IGMP snooping, IP multicast packets are broadcasted
within the VLAN; when the Layer-2 device is running IGMP snooping, IP multicast packets are transmitted only to profile
members.
Figure 1-1 Networking Topology of IP Multicast Forwarding within the VLAN Before and After IGMP Snooping Is Run on the
Layer-2 Device
RFC4541: Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD)
Snooping Switches
1.2 Applications
Application Description
1-1
Configuration Guide Configuring IGMP Snooping
Layer-2 Multicast Control Enables precise forwarding of Layer-2 multicast packets to avoid flooding at this layer.
Shared Multicast Services (Multicast Multiple users can share the multicast traffic of the same VLAN.
VLAN)
Premium Channels and Preview Controls the range of multicast addresses that allow user demanding and allows
preview for profiles who are inhibited from demanding.
As shown in the following figure, multicast packets are transmitted to users through a Layer-2 switch. When Layer-2 multicast
control is not performed, namely, when IGMP snooping is not implemented, multicast packets are flooded to all the users
including those who are not expected to receive these packets. After IGMP snooping is implemented, the multicast packets
from an IP multicast profile will no longer be broadcast within the VLAN but transmitted to designated receivers.
Figure 1-2 Networking Topology of Implementing Layer-2 Multicast Control (Multicast VLAN)
Deployment
1-2
Configuration Guide Configuring IGMP Snooping
In Shared VLAN Group Learning (SVGL) mode or IVGL-SVGL mode (IVGL: Independent VLAN Group Learning), a device
running IGMP snooping can provide shared multicast services (or multicast VLAN services) to the VLAN users. Typically, this
function is used to provide the same video-on-demand (VOD) services to multiple VLAN users.
The following figure shows the operation of a Layer-2 multicast device in SVGL mode of IGMP snooping. The multicast router
sends a multicast packet to VLAN 1, and the Layer-2 multicast device automatically transfers the packet to VLAN 1, VLAN 2,
and VLAN 3. In this way, the multicast services of VLAN 1 are shared by VLAN 2 and VLAN 3.
If the Layer-2 multicast device operates in IVGL mode, the router must send a packet to each VLAN, which wastes
bandwidth and burdens the Layer-2 multicast device.
Deployment
Configure basic IGMP snooping functions (in SVGL mode or IVGL-SVG mode).
In VOD application, by limiting the range of the multicast addresses that a user host can access, unpaid users will not
be able to watch the premium channels. Thereafter, the preview service is offered to unpaid users before they decide
whether to pay for it.
The users can preview a premium channel for a certain period of time (for example 1 minute) after demanding it.
Deployment
Enable the preview function for VOD profiles that are denied access.
1.3 Features
Basic Concepts
1-3
Configuration Guide Configuring IGMP Snooping
IGMP snooping is VLAN-based. The ports involved refer to the member ports within the VLAN.
The device running IGMP snooping identifies the ports within the VLAN as a multicast router port or member port so as to
manage and control the forwarding of IP multicast traffic within the VLAN. As shown in the following figure, when IGMP
snooping is run on a Layer-2 device, multicast traffic enters the multicast router port and exits from the member ports.
Multicast router port: The location of the multicast source is directed by the port on the Layer-2 multicast device which is
connected to the multicast router (Layer-3 multicast device): By listening to IGMP packets, the Layer-2 multicast device
can automatically detect the multicast router port and maintain the port dynamically. It also allows users to configure a
static router port.
Member port: The port is on a Layer-2 multicast device and is connected to member hosts. It directs the profile
members. It is also called the Listener Port. By listening to IGMP packets, the Layer-2 multicast device can
automatically detect the member port and maintain the port dynamically. It also allows users to configure a static
member port.
Overview
Feature Description
Listening to IGMP Packets Discovers and identifies the router port and member port to establish and maintain the IGMP
snooping forwarding entries. :
IGMP Snooping Working Provides independent or shared multicast services to the user VLAN.
Modes
Multicast Security Control Controls the multicast service scope and load to prevent illegal multicast traffic.
Profile Defines the range of multicast addresses that permit or deny user requests for reference of
other functions.
Handling QinQ Sets the forwarding mode of multicast packets on the QinQ interface.
IGMP Querier On a network without a Layer-3 multicast device, the Layer-2 multicast device acts as an
IGMP querier.
1-4
Configuration Guide Configuring IGMP Snooping
Working Principle
A device running IGMP snooping can identify and handle the following types of IGMP packets:
Query Packets
An IGMP querier periodically sends General Query packets. When the IGMP querier receives Leave packets, it sends
Group-Specific Query packets.
When the device running IGMP snooping receives the Query packets, it performs the following operations within the VLAN:
Forward the IGMP Query packets to all the ports (except the receiving port of these packets).
If the receiving port is a dynamic router port, reset the aging timer. If the timer expires, the port will no longer be used as
the dynamic router port.
If the receiving port is not a dynamic router port, use it as a dynamic router port and enable the aging timer. If the timer
expires, the port will no longer be used as the dynamic router port.
For general queries, reset the aging timer for all the dynamic member ports. If the timer expires, the port will no longer
be used as the dynamic member port for the general group. By default, the maximum response time carried by the
IGMP query packets is used as the timeout time of the aging timer. If ip igmp snooping query-max-response-time is
run, the time displayed is used as the timeout time of the aging timer.
For designated query packets, reset the aging timer for all the dynamic member ports of the designated profile. If the
timer expires, the port will no longer be used as the dynamic member port of the designated profile. By default, the
maximum response time carried by the IGMP query packets is used as the timeout time of the aging timer. If ip igmp
snooping query-max-response-time is run, the time displayed is used as the timeout time of the aging timer.
If dynamic router port learning is disabled, IGMP snooping will not learn the dynamic router port.
Report Packets
When a member host receives a query, it responds to the query with a Report packet. If a host requests to join a profile,
it will also send a report.
By default, IGMP Snooping is capable of processing IGMPv1 and IGMPv2 packets. For IGMPv3 Report packets, it
processes profile information but does not process carried source information. IGMP Snooping v3 can be configured to
process all information in IGMPv1, IGMPv2, and IGMPv3 packets.
When the device running IGMP snooping receives the Report packets, it performs the following operations within the VLAN:
Forward the Report packets from all the router ports. After the ip igmp snooping suppression enable command is run
in one IGMP query cycle, only the first report received by each profile will be forwarded.
If the port on which Report packets are received is a dynamic member port, reset the aging timer. If the timer expires,
the port will no longer be used as the dynamic member port of the designated profile.
1-5
Configuration Guide Configuring IGMP Snooping
If the port on which Report packets are received is not a dynamic member port, use it as a dynamic member port and
enable the aging timer. If the timer expires, the port will no longer be used as the dynamic member port of the
designated profile.
Leave Packets
When the device running IGMP snooping receives the Leave packets, it performs the following operations within the VLAN:
If the port on which leave packets are received is a dynamic member port and the Leave function is enabled, the port
will be immediately deleted from the IGMP snooping forwarding entry of the designated profile and will no longer be
used as the dynamic member port.
If the port on which the leave packets are received is a dynamic member port and the Leave function is disabled, the
port state should be maintained.
Related Configuration
Run the ip igmp snooping vlan mrouter interface command to configure a static router port.
Run the ip igmp snooping vlan static interface command to configure a static member port.
Run the ip igmp snooping suppression enable command to enable report suppression.
After report suppression is enabled, in one IGMP query cycle, only the first Report packet received by each profile will be
forwarded. The source media access control (MAC) address of the forwarded report will be changed to the MAC address of
the device.
Run the ip igmp snooping fast-leave enable command to enable immediate leave.
Run the no ip igmp snooping mrouter learn pim-dvmrp command to disable dynamic router port learning.
Run the no ip igmp snooping vlan vid mrouter learn pim-dvmrp command to disable dynamic router port learning for
designated VLANs.
1-6
Configuration Guide Configuring IGMP Snooping
When a dynamic router port receives a query packet, the aging timer of the port is enabled or reset; if the aging time is not
configured, the maximum response time carried by the query packet is used as the aging time.
Run ip igmp snooping dyn-mr-aging-time to configure the aging time of the dynamic router port.
When a dynamic member port receives a query packet, the aging timer of the port is enabled or reset, and the aging time is
the maximum response time carried by the query packet.
When a dynamic member port receives a Report packet, the aging timer of the port is enabled or reset, and the aging time is
the maximum response time of the dynamic member port.
Run ip igmp snooping host-aging-time to configure the aging time of the dynamic member port.
The maximum response time of a query packet is not configured by default and the maximum response time carries by the
query packet is used.
Run ip igmp snooping query-max-response-time to configure the maximum response time of a query packet.
Working Principle
IVGL
In IVGL mode, a device running IGMP snooping can provide independent multicast services to each user VLAN.
Independent multicast services indicate that multicast traffic can be forwarded only within the VLAN it belongs to, and a user
host can subscribe to the multicast traffic within the VLAN that the host belongs to.
SVGL
In SVGL mode, a device running IGMP snooping can provide shared multicast services to the user VLAN.
Shared multicast services can be provided only on shared VLANs and sub VLANs and SVGL multicast addresses are used.
In a shared VLAN, the multicast traffic within the range of SVGL multicast addresses is forwarded to a sub VLAN, and the
user hosts within the sub VLAN subscribe to such multicast traffic from the shared VLAN.
In a shared VLAN and sub VLAN, shared multicast services will be provided to the multicast traffic within the range of
SVGL multicast addresses. Other multicast traffic will be discarded.
Other VLANs (except shared VLANs and sub VLANs) apply to independent multicast services.
1-7
Configuration Guide Configuring IGMP Snooping
When the user VLAN is set to a shared VLAN or sub VLAN, shared multicast services are provided; when a user VLAN
is set to other VLANs, independent multicast services are provided.
IVGL-SVGL
IVGL-SVGL mode is also called the hybrid mode. In this mode, a device running IGMP snooping can provide both shared
and independent multicast services to the user VLAN.
In a shared VLAN and sub VLAN, multicast services will be provided to the multicast traffic within an SVGL profile. For
other multicast traffic, independent multicast services will be provided.
Other VLANs (except shared VLANs and sub VLANs) apply to independent multicast services.
When a user VLAN is configured as a shared VLAN or sub VLAN, both public multicast services and independent
multicast services available. When a user VLAN is configured as a VLAN other than shared VLAN and sub VLAN, only
the independent multicast services are available.
Related Configuration
Run the ip igmp snooping ivgl command to enable IGMP snooping in IVGL mode.
Run the ip igmp snooping svgl command to enable IGMP snooping in SVGL mode.
Run the ip igmp snooping ivgl-svgl command to enable IGMP snooping in IVGL-SVGL mode.
A working mode must be designated when enabling IGMP snooping, namely, one of the preceding working modes must be
selected.
Run the ip igmp snooping svgl vlan command to designate a VLAN as the shared VLAN.
In SVGL mode and IVGL-SVGL mode, only one VLAN can be configured as the shared VLAN.
Run the ip igmp snooping svgl subvlan command to designate a VLAN as the sub VLAN.
In SVGL mode and IVGL-SVGL mode, the number of sub VLANs is not limited.
No default setting.
Run the ip igmp snooping svgl profile profile_num command to configure the address range of an SVGL profile.
In SVGL mode and IVGL-SVGL mode, the SVGL profile range must be configured; otherwise, shared multicast
services cannot be provided.
1-8
Configuration Guide Configuring IGMP Snooping
Working Principle
By configuring the profile list that a user can access, you can customize the multicast service scope to guarantee the interest
of operators and prevent illegal multicast traffic.
To enable this function, you should use a profile to define the range of multicast addresses that a use is allowed to access.
When the profile is applied on a VLAN, you can define the multicast addresses that a user is allowed to access within
the VLAN.
When the profile is applied on an interface, you can define the multicast addresses that a user is allowed to access
under the port.
Multicast Preview
If the service provider wants to allow the users to preview some multicast video traffic that denies the users' access, and stop
the multicast video traffic after the preview duration is reached, the user-based multicast preview function should be provided.
The multicast preview function is used together with multicast permission control. For example, in the application of videos,
the administrator controls some premium channels by running the ip igmp profile command on a port or VLAN. In this way,
unsubscribed users will not be able to watch these channels on demand. If users want to preview the channels before they
decide whether to pay for watching or not, the multicast preview function can be enabled, allowing the premium channels to
be previewed by unpaid users for a certain period of time (for example 1 minute).
If there is too much multicast traffic requested at the same time, the device will be severely burdened. Configuring the
maximum number of profiles allowed for concurrent request can guarantee the bandwidth.
You can limit the number of profiles allowed for concurrent request globally.
You can also limit the number of profiles allowed for concurrent request on a port.
Related Configuration
To filter multicast profiles, run the ip igmp snooping filter command in interface configuration mode or global configuration
mode.
Enabling Preview
1-9
Configuration Guide Configuring IGMP Snooping
Run the ip igmp snooping preview command to enable preview and restrict the range of the profiles permitted for multicast
preview.
Run the ip igmp snooping preview interval to set the multicast preview duration.
Configuring the Maximum Number of Profiles Allowed for Concurrent Request on a Port
By default, the number of profiles allowed for concurrent request is not limited.
Run the ip igmp snooping max-groups command to configure the maximum number of profiles allowed for concurrent
request.
Run the ip igmp snooping l2-entry-limit command to configure the maximum number of multicast profiles allowed globally.
Working Principle
When SVGL mode is enabled, an SVGL profile is used to define the range of SVGL multicast addresses.
When the multicast filter is configured on an interface, a profile is used to define the range of multicast addresses that permit
or deny user request under the interface.
When a VLAN filter is configured, a profile is used to define the range of multicast addresses that permit or deny user request
under within the VLAN.
When the preview function is enabled, a profile is used to define the range of multicast address allowed for preview.
Related Configuration
Configuring a Profile
Default configuration:
Configuration steps:
Run the range low-address high_address command to define the range of multicast addresses. Multiple address
ranges are configured for each profile.
(Optional) Run the permit or deny command to permit or deny user request (deny by default). Only one permit or
deny command can be configured for each profile.
1-10
Configuration Guide Configuring IGMP Snooping
On a device with IGMP snooping enabled and dot1q-tunnel (QinQ) port configured, IGMP snooping will handle the IGMP
packets received by the QinQ port using the following two approaches:
Approach 1: Create a multicast entry on the VLAN where IGMP packets are located. The forwarding of IGMP packets
on the VLAN where these packets are located is called transparent transmission. For example, presume that IGMP
snooping is enabled for a device, Port A is designated as the QinQ port, the default VLAN of this port is VLAN 1, and it
allows the passage of VLAN 1 and VLAN 10 packets. When a multicast Query packet is sent by VLAN 10 to Port A,
IGMP snooping establishes a multicast entry for VLAN 10 and forwards the multicast Query packet to the router port of
VLAN 10.
Approach 2: Create a multicast entry on the default VLAN of the QinQ port. Encapsulate the multicast packet with the
VLAN tag of the default VLAN where the QinQ port is located and forward the packet within the default VLAN. For
example, presume that IGMP snooping is enabled for a device, Port A is designated as the QinQ port, the default VLAN
of this port is VLAN 1, and it allows the passage of VLAN 1 and VLAN 10 packets. When a multicast Query packet is
sent by VLAN 10 to Port A, IGMP snooping establishes a multicast entry for VLAN 1, encapsulates the multicast query
packet with the tag of VLAN 1, and forward the packet to VLAN 1 router port.
Related Configuration
Configuring QinQ
On a network without a Layer-3 multicast device, the Layer-2 multicast device must be configured with the IGMP querier
function so that the device can listen to IGMP packets. In this case, a Layer-2 device needs to act as an IGMP querier as well
as listen to IGMP packets to establish and maintain the forwarding entry to realize Layer-2 multicast.
Working Principle
A Layer-2 device acts as an IGMP querier to periodically send IGMP Query packets, listen to and maintain the IGMP Report
packets replied by a user, and create a Layer-2 multicast forwarding entry. You can adjust relevant parameters of the Query
packets sent by the IGMP querier through configuration.
When the device receives a Protocol-Independent Multicast (PIM) or Distance Vector Multicast Routing Protocol (DVMRP)
packet, it considers that a multicast router, which will act as an IGMP querier, exists on the network and disables the querier
function. In this way, IGMP routing will not be affected.
1-11
Configuration Guide Configuring IGMP Snooping
When the device receives the IGMP Query packets from other devices, it will compete with other devices for the IGMP
querier.
You can enable the querier for a specific VLAN or all VLANs.
Only when the global querier function is enabled can the queriers for specific VLANs take effect.
The version of IGMP used for sending Query packets can be configured as IGMPv1, IGMPv2, or IGMPv3.
You can configure the source IP address of a query packet sent by the querier based on VLANs.
When the source IP address of the querier is not configured, the querier will not take effect.
You can configure the intervals for sending global Query packets based on different queriers on different VLANs.
You can configure the maximum response time carried by a Query packet that is sent by a querier. As IGMPv1 does not
support the carrying of maximum response time by a Query packet, this configuration does not take effect when the querier is
running IGMPv1. You can configure different maximum response time for queriers on different VLANs.
When other IGMP queriers exist on a network, the existing device will compete with other queriers. If the existing device fails
to be elected and is in the non-querier state, the aging timer of a querier will be enabled. After the timer expires, other
queriers on the network are considered as expired and the existing device will be resumed as the querier.
Related Configuration
Run the ip igmp snooping querier command to enable the global querier function.
Run the ip igmp snooping vlan num querier command to enable the querier function for specific VLANs.
Run the ip igmp snooping querier version command to configure the global querier version.
Run the ip igmp snooping vlan querier version command to specify the querier version for specific VLANs.
1-12
Configuration Guide Configuring IGMP Snooping
Run the ip igmp snooping querier address command to enable global source IP addresses of queriers.
Run the ip igmp snooping vlan querier address command to specify the source IP addresses of the queriers on specific
VLANs.
Run the ip igmp snooping querier query-interval command to enable the global query interval of queriers.
Run ip igmp snooping vlan querier query-interval to specify the global query interval of the queriers on specific VLANs.
Run the ip igmp snooping querier max-response-time command to configure the maximum response time of the query
packets sent by global queriers.
Run the ip igmp snooping vlan querier max-response-time command to specify the maximum response time of the query
packets sent by the queriers on specific VLANs.
Run the ip igmp snooping querier max-response-time command to configure the aging time of global queriers.
Run the ip igmp snooping vlan querier max-response-time command to configure the aging time of queriers on specific
VLANs.
1.4 Configuration
Any of IVGL mode, SVGL mode, and IVGL-SVGL mode must be selected.
Configuring Basic IGMP It is used to enable IGMP snooping in IVGL mode.
Snooping Functions (IVGL
Enables global IGMP snooping in IVGL
Mode) ip igmp snooping ivgl
mode.
no ip igmp snooping vlan num Disables IGMP snooping for a VLAN.
Any of IVGL mode, SVGL mode, and IVGL-SVGL mode must be selected.
It is used to enable IGMP snooping in SVGL mode.
Configuring Basic IGMP
Snooping Functions (SVGL Enables global IGMP snooping in IVGL
ip igmp snooping svgl
Mode) mode.
no ip igmp snooping vlan num Disables IGMP snooping for a VLAN.
ip igmp snooping svgl profile profile_num Configures the SVGL profile.
1-13
Configuration Guide Configuring IGMP Snooping
Any of IVGL mode, SVGL mode, and IVGL-SVGL mode must be selected.
It is used to enable IGMP snooping in IVGL-SVGL mode.
(Optional) It used to guarantee the security when a user requests a multicast profile.
1-14
Configuration Guide Configuring IGMP Snooping
(Optional) It is used to define the range of multicast addresses that permits or denies the
access of a user host.
(Optional) It is used to configure QinQ interface to forward multicast packets using the
VLAN identifier (VID) carried by packets.
Configuring IGMP QinQ
Configures QinQ to transmit IGMP
ip igmp snooping tunnel
packets transparently.
1-15
Configuration Guide Configuring IGMP Snooping
Notes
IP multicast cannot be realized in SVGL mode. If IP multicast must be used, select the IVGL mode.
Configuration Steps
Mandatory.
After IGMP snooping is enabled globally, this function will be enabled for all VLANs.
If not specified, it is advised to run global IGMP snooping on all the devices connected user hosts.
(Optional) You can use this function if you wish to disable IGMP snooping on specified VLANs.
Only when global IGMP snooping is enabled can it be disabled on specified VLANs.
In IVGL mode, each VLAN can enjoy independent multicast services. Disabling any VLAN multicast services will not interfere
in the services provided to the others.
Verification
Run the show ip igmp snooping gda-table command to display the IGMP snooping forwarding table and verify that
the member ports include only those connecting member hosts.
Run the show ip igmp snooping command to display the basic IGMP snooping information and verify that IGMP
snooping is working in IVGL mode.
Related Commands
1-16
Configuration Guide Configuring IGMP Snooping
Configuration Example
Scenario
Figure 1-5
1-17
Configuration Guide Configuring IGMP Snooping
1-18
Configuration Guide Configuring IGMP Snooping
vlan 1
-------------
IGMP Snooping state: Enable
Multicast router learning mode: pim-dvmrp
IGMP Fast-Leave: Disabled
IGMP VLAN querier: Disable
IGMP VLAN Mode: STATIC
Common Errors
Enable IGMP snooping and select SVGL mode to realize Layer-2 multicast.
Configuration Steps
Mandatory.
(Optional) By default, VLAN 1 is used as the shared VLAN. You can adjust this configuration for other options.
(Optional) By default, all the VLANs are used as the sub VLANs of SVGL and can share the multicast services of the shared
VLAN. You can adjust this configuration for other options.
Verification
Run the show ip igmp snooping command to display the basic IGMP snooping information and verify that IGMP
snooping is working in SVGL mode.
Run the show ip igmp snooping gda-table command to check whether inter-VLAN multicast entries are properly
formed.
Related Commands
1-19
Configuration Guide Configuring IGMP Snooping
1-20
Configuration Guide Configuring IGMP Snooping
Usage Guide If a device is running in SVGL mode, the following information is displayed:
IGMP Snooping running mode: SVGL
Configuration Example
Scenario
Figure 1-6
1-21
Configuration Guide Configuring IGMP Snooping
Common Errors
1-22
Configuration Guide Configuring IGMP Snooping
Enable IGMP snooping and select IVGL-SVGL mode to realize Layer-2 multicast.
Configuration Steps
Mandatory.
(Optional) By default, VLAN 1 is used as the shared VLAN. You can adjust this configuration for other options.
(Optional) By default, all the VLANs are used as the sub VLANs of SVGL and can share the multicast services of the shared
VLAN. You can adjust this configuration for other options.
Verification
Run the show ip igmp snooping command to display the basic IGMP snooping information and verify that IGMP
snooping is working in IVGL-SVGL mode.
Run the show ip igmp snooping gda-table command to check whether inter-VLAN multicast entries are properly
formed for the SVGL profiles.
Run the show ip igmp snooping gda-table command to check whether intra-VLAN multicast entries are properly
formed for the SVGL profiles.
Related Commands
1-23
Configuration Guide Configuring IGMP Snooping
1-24
Configuration Guide Configuring IGMP Snooping
Usage Guide If a device is running in IVGL-SVGL mode, the following information is displayed:
IGMP Snooping running mode: IVGL-SVGL
Configuration Example
Scenario
Figure 1-7
1-25
Configuration Guide Configuring IGMP Snooping
1-26
Configuration Guide Configuring IGMP Snooping
Common Errors
The IVGL multicast traffic cannot be forwarded within the SVGL profile.
Configure specified ports as the static router ports to receive the multicast traffic from all profiles.
Configure specified ports as the static member ports to receive the multicast traffic from specified profiles
Enable Report packets suppression to forward only the first Report packet from a specified VLAN or profile to the router
port within a query interval, and the following Report packets will not be forwarded to the router port, thereby reducing
the quantity of packets on the network.
Configure the immediate-leave function to delete a port from the entry of member ports when a leave packet is received
by the port.
Disable dynamic router port learning to disable the learning of any router port.
Based on network load and configuration of a multicast device, you can adjust the aging time of a router port and
member port as well as the maximum response time of a query packet.
Notes
Only when basic IGMP snooping is configured can relevant configurations take effect.
Configuration Steps
Optional.
You can perform this configuration if you want to specify a static port to receive all the multicast traffic within the VLAN.
Optional.
1-27
Configuration Guide Configuring IGMP Snooping
You can perform this configuration if you want to specify a static port to receive specific multicast traffic within the
VLAN.
Optional.
When there are numerous receivers to receive the packets from the same multicast profile, you can enable Report
packets suppression to suppress the number of Report packets to be sent.
Optional.
When there is only one receiver on a port, you can enable Leave to speed up the convergence of protocol upon leave.
Optional.
This function is used when multicast traffic needs to be forwarded only within the Layer-2 topology but not to a Layer-3
router.
Optional.
Optional.
You can configure the aging time based on the interval for sending IGMP query packets by the connected multicast
router. Typically, the aging time is calculated as follows: Interval for sending IGMP query packets x 2 + Maximum
response time of IGMP packets
Optional.
Verification
Run the show ip igmp snooping mrouter command to check whether the configured static router port has an "S" in
the displayed configuration information.
Run the show ip igmp snooping gda command to check whether the configured static member port is marked with an S.
Run the show ip igmp snooping command to check whether Report packets suppression, immediate leave, router
port learning, router port aging time, member port aging time, and the maximum response time of the Query packet take
effect.
1-28
Configuration Guide Configuring IGMP Snooping
Related Commands
Command ip igmp snooping vlan vid static group-address interface interface-type interface-number
Parameter vid: Indicates a VLAN. The value ranges from 1 to 4,094.
Description group-address: Indicates a profile address.
interface-type interface-number: Indicates an interface name.
Command Global configuration mode
Mode
Usage Guide By default, no static member port is configured.
1-29
Configuration Guide Configuring IGMP Snooping
Parameter N/A
Description
Command Global configuration mode
Mode
Usage Guide When this function is enabled, a port will be deleted from the entry of the member port when the port
receives a leave packet. After that, the packets will no longer be forwarded to this port when it receives the
query packets of specified profiles. Leave packets include the IGMPv2 Leave packets as well as the
IGMPv3 Report packets that include types but carry no source address.
The immediate-leave function applies only to the scenario where only one host is connected to a device
port. It is used to conserve bandwidth and resources.
1-30
Configuration Guide Configuring IGMP Snooping
1-31
Configuration Guide Configuring IGMP Snooping
1-32
Configuration Guide Configuring IGMP Snooping
Configuration Example
1-33
Configuration Guide Configuring IGMP Snooping
Scenario
Figure 1-8
1-34
Configuration Guide Configuring IGMP Snooping
Common Errors
Basic IGMP snooping functions are not configured or the configuration is not successful.
1-35
Configuration Guide Configuring IGMP Snooping
Configure to limit a user to receive only the multicast traffic from a router port to prevent illegal multicast traffic sent by
the end user.
Configure to limit a user to receive only the multicast traffic from designated source IP addresses to prevent illegal
multicast traffic.
Notes
Configuration Steps
Optional.
If you want to limit the profile packets to be received by a port, you can configure the profile filtering on the port.
If you want to limit the multicast packets to be received by a VLAN, you can configure the per-VLAN profile filtering.
Optional.
You can enable multicast preview for a user from an unauthorized profile.
Optional.
If you want to limit the number of multicast profiles that a port is allowed to receive, you can configure the maximum
number of multicast profiles allowed for this port.
If you want to limit the number of multicast profiles that global ports are allowed to receive, you can configure the
maximum number of multicast profiles allowed for these ports.
Verification
Run the show ip igmp snooping interfaces command to display the profile filtering and the maximum number of
multicast profiles for a port.
Run the show ip igmp snooping vlan command to display the per-VLAN profile filtering.
Run the show ip igmp snooping command to check whether the maximum number of global multicast profiles,
preview function, source port inspection, and source IP address inspection take effect.
1-36
Configuration Guide Configuring IGMP Snooping
Related Commands
Enabling Preview
1-37
Configuration Guide Configuring IGMP Snooping
Description 1,024.
Command Global configuration mode
Mode
Usage Guide N/A
1-38
Configuration Guide Configuring IGMP Snooping
Mode
Usage Guide If the maximum number of multicast addresses for a port is configures, the value will be displayed, for
example:
Ruijie#show ip igmp snooping interfaces gigabitEthernet 0/1
Interface Filter profile number max-group
------------------------- --------------------- ---------
GigabitEthernet 0/1 1 200
Configuration Example
Configuring the Profile Filtering and the Maximum Number of Demanded Profiles
1-39
Configuration Guide Configuring IGMP Snooping
Scenario
Figure 1-9
1-40
Configuration Guide Configuring IGMP Snooping
1-41
Configuration Guide Configuring IGMP Snooping
、Common Errors
Basic IGMP snooping functions are not configured or the configuration is not successful.
The multicast router port is not learned, leading to failure to receive the multicast traffic.
Configuration Steps
Creating a Profile
Verification
Run the show running-config command to check whether the preceding configurations take effect.
Related Commands
Creating a Profile
1-42
Configuration Guide Configuring IGMP Snooping
Usage Guide
Command deny
Parameter N/A
Description
Command Profile configuration mode
Mode
Usage Guide If the filtering mode of profile is set to deny while the range of multicast profiles is not specified, no profile is
to be denied, which means to permit all profiles.
Command permit
Parameter N/A
Description
Command Profile configuration mode
Mode
Usage Guide If the filtering mode of profile is set to permit while the range of multicast profiles is not specified, no profile is
to be permitted, which means to deny all profiles.
Configuration Example
1-43
Configuration Guide Configuring IGMP Snooping
Common Errors
Basic IGMP snooping functions are not configured or the configuration is not successful.
The mode of profile is set to permit while the range of multicast profiles is not specified, leading to the denial of all
profiles.
Create a multicast entry on the VLAN where IGMP packets are located. Forward IGMP packets on the VLAN where
these packets are located, realizing transparent transmission.
Notes
Configuration Steps
If the QinQ interface needs to forward multicast packets on the VLANs where the VIDs of the packets specify, enable
QinQ to realize transparent transmission.
Verification
Run the show ip igmp snooping command to check whether the configuration takes effect.
Related Commands
1-44
Configuration Guide Configuring IGMP Snooping
Configuration Example
Common Errors
Basic IGMP snooping functions are not configured or the configuration is not successful.
Configure the device as an IGMP querier, which will send IGMP Query packets periodically and collect user demanding
information.
Notes
Configuration Steps
1-45
Configuration Guide Configuring IGMP Snooping
(Optional) You can configure the source IP address of a Query packet sent by the querier based on VLANs.
After a querier is enabled, a source IP address must be specified for the querier; otherwise, the configuration will not
take effect.
(Optional) Adjust the maximum response time carried by an IGMP Query packet. As IGMPv1 does not support the
carrying of maximum response time by a Query packet, this configuration does not take effect when the querier is
running IGMPv1.
(Optional) Adjust the interval of the IGMP querier for sending query packets.
(Optional) Configure the aging timer of other IGMP queriers on the network.
Verification
Run the show ip igmp snooping querier detail command to check whether the configuration takes effect.
Related Commands
1-46
Configuration Guide Configuring IGMP Snooping
1-47
Configuration Guide Configuring IGMP Snooping
Configuration Example
1-48
Configuration Guide Configuring IGMP Snooping
Scenario
Figure 1-10
In the scenario without Layer-3 multicast equipment, the multicast traffic can be forwarded only on the
Layer-2 network.
A acts as a Layer-2 device to connect to the multicast source and receiver.
Configuration Enable global IGMP snooping on A in IVGL mode.
Steps Enable IGMP querier for VLAN 1 on A.
A A(config)#ip igmp snooping ivgl
A(config)#ip igmp snooping querier
A(config)#ip igmp snooping querier address 10.1.1.1
A(config)#ip igmp snooping vlan 1 querier
Verification Run the show ip igmp snooping querier command to check whether the querier of VLAN 1 takes effect.
A A(config)#show ip igmp snooping querier
Vlan IP Address IGMP Version Port
-----------------------------------------------------------
1 10.1.1.1 2 switch
1-49
Configuration Guide Configuring IGMP Snooping
Common Errors
The source IP address is not configured for the querier and the querier does not take effect.
1.5 Monitoring
Clearing
Running the clear commands may lose vital information and thus interrupt services.
Description Command
Clears the statistics on IGMP snooping. clear ip igmp snooping statistics
Clears the dynamic router ports and member clear ip igmp snooping gda-table
ports.
Displaying
Description Command
Displays basic IGMP snooping configurations. show ip igmp snooping [ vlan vlan-id ]
Displays the statistics on IGMP snooping. show ip igmp snooping statistics [ vlan vlan-id ]
Displays the router ports. show ip igmp snooping mrouter
Displays the IGMP snooping entries. show ip igmp snooping gda-table
Displays the profile. show ip igmp profile [ profile-number ]
Displays the IGMP snooping configurations on show ip igmp snooping interface interface-name
an interface.
Displays the IGMP querier. show ip igmp snooping querier [ detail ]
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs all IGMP Snooping functions. debug igmp-snp
Debugs the IGMP snooping events. debug igmp-snp event
Debugs the IGMP snooping packets. debug igmp-snp packet
Debugs the communications between IGMP debug igmp-snp msf
snooping and MSF.
Debugs the IGMP snooping alarms. debug igmp-snp warning
1-50
Configuration Guide Configuring IP Multicasting
2 Configuring IP Multicasting
2.1 Overview
IP multicasting is abstracted hardware multicasting and an extended multicast routing protocol on the standard IP network
layer.
In traditional IP transmission, only one host can send packets to a single host (unicast communication) or all hosts (broadcast
communication). However, the multicast technology provides the third choice: a host can send packets to certain specified
hosts.
2.2 Features
Overview
Feature Description
Configuring an
Overwriting
Mechanism Upon Deletes the earliest hardware entries and adds new entries if the hardware forwarding table overflows
Overflow of Multicast when you create multicast forwarding entries.
Hardware Forwarding
Entries
Working Principle
Delete the earliest hardware entries and adds new entries if the hardware forwarding table overflows when you create
multicast forwarding entries .
Related Configuration
By default, the overwriting mechanism upon the overflow of multicast hardware forwarding entries is disabled.
Run msf ipmc-overflow override to configure the overwriting mechanism upon overflow of multicast hardware forwarding
entries.
2-1
Configuration Guide Configuring IP Multicasting
2.3 Configuration
Delete the earliest hardware entries and adds new entries if the hardware forwarding table overflows when you create
multicast forwarding entries.
Notes
Configuration Steps
The overwriting mechanism upon overflow of multicast hardware forwarding entries can be configured on each device
unless otherwise specified.
Verification
Run show running-config to check whether the overwriting mechanism upon overflow of multicast hardware forwarding
entries is configured.
Related Commands
Configuration Example
Creating the IP Multicast Service on the IPv4 Network and Configuring an Overwriting Mechanism Upon
Overflow of Multicast Hardware Forwarding Entries
2-2
Configuration Guide Configuring IP Multicasting
Verification Run show running-config to check whether the overwriting mechanism upon overflow of multicast
hardware forwarding entries is configured.
A
A# show running-config
2.4 Monitoring
Clearing
Running the clear commands may lose vital information and interrupt services.
Displaying
Description Command
Displays the IPv4 multi-layer show msf msc
multicast forwarding table.
Debugging
System resources are occupied when debugging information is output. Therefore, disable debugging immediately after
use.
Description Command
Debugs the processing of IPv4 debug msf forwarding
multi-layer multicast packet
forwarding.
Debugs the operation on multi-layer debug msf msc
multicast forwarding entries on an
IPv4 network.
Debugs the bottom-layer hardware debug msf ssp
processing of IPv4 multi-layer
multicast packet forwarding.
Debugs the invocation of API debug msf api
2-3
Configuration Guide Configuring IP Multicasting
Description Command
interfaces provided by IPv4
multi-layer multicast forwarding.
Debugs the processing of multi-layer debug msf event
multicast forwarding events on an
IPv4 network.
2-4
Configuration Guide Specifications and Limitations
Feature Description
MAC Address 1. The XS-S1960-H series neither learns nor forwards packets whose source MAC addresses and
destination MAC addresses are all 0's.
2. The XS-S1960-10GT2SFP-P-H switches do not support the MAC-based VLAN function with a masked
VLAN ID.
QinQ 1. The XS-S1960-H series support four global tag protocol identifier (TPID) values. One of the TPID
values must be 0x8100, and the other three are arbitrary.
2. The XS-S1960-10GT2SFP-P-H switches do not support the flow characteristic-based outer VID
selection function.
3. The XS-S1960-10GT2SFP-P-H switches do not support the packet content-based inner VID
modification function.
4. The XS-S1960-10GT2SFP-P-H switches do not support the optimization function of mapping
consecutive inner VIDs to the same outer VID.
Private VLAN The XS-S1960-H series do not support the isolation trunk port and the hybrid trunk port.
SPAN 1. When mirroring is configured on the XS-S1960-H series, the switch field must be added to the
mirroring destination port.
2. On the XS-S1960-H series, the Tx mirroring source port can mirror packets sent from the CPU.
DCB 1. The XS-S1960-10GT2SFP-P-H series do not support the congestion notification (CN) function.
2. The XS-S1960-10GT2SFP-P-H series do not support the enhanced transmission selection (ETS)
function.
3. The XS-S1960-10GT2SFP-P-H series do not support the priority-based flow control (PFC) function.
4. The XS-S1960-10GT2SFP-P-H series do not support the data center bridging exchange protocol
(DCBX) function.
Interface 1. The auto-negotiation function is disabled by default on 10G SFP ports and interfaces.
2. For 1000M SFP ports (SFP combo ports) and 10G SFP ports, the auto-negotiation function is enabled
when the GT module is inserted.
3. 10G SFP ports do not support the 100M rate.
4. None of the ports supports the 40G rate.
5. 100M SFP ports support the half-duplex mode but 1000M and 10G SFP ports do not support this mode.
6. The effective maximum transmission unit (MTU) value of line cards on the entire XS-S1960-H series is
greater than the configured value by 26 bytes (including the 14-byte Ethernet header, 4-byte FCS field,
and 2 tags).
7. Switch virtual interfaces (SVIs) support the MTU configuration.
8. The XT expansion cards of the XS-S1960-H series do not support cable detection.
9. The XS-S1960-H series do not support the SVI sampling function.
10. The XS-S1960-H series do not support the 40G splitting function.
Configuration Guide Specifications and Limitations
storm control based on packets per second for multicast packets cannot be configured on the same
interface.
5. The storm control function is disabled for broadcast packets on interfaces of the XS-S1960-H series by
default. The default storm control value of broadcast packets is 1% of the port bandwidth.
6. If storm control based on packets per second is configured for unicast/multicast packets on an interface
of the XS-S1960-H series, storm control based on bandwidth percentage/kilo bits per second for
broadcast packets cannot be configured on the same interface. If storm control based on bandwidth
percentage/kilo bits per second is already configured for unicast/multicast packets on an interface,
storm control based on packets per second for broadcast packets cannot be configured on the same
interface.
IPFIX The XS-S1960-10GT2SFP-P-H series do not support the Internet Protocol Flow Information Export (IPFIX)
function.
sFlow On the XS-S1960-H series, the Sampled Flow (sFlow) agent address can be configured by running the sflow
agent interface { interface-name | ipv6 interface-name } command. This command is mutually exclusive to
the sflow agent address {ip-address | ipv6 ipv6-address } command.
QoS 1. The XS-S1960-H series do not support the weighted random early detection (WRED) function.
2. Members to be added to a logical port group must be physical ports or aggregate ports.
3. The deny entry in an ACL matching a class-map does not take effect.
4. When QoS is applied to the outbound direction, the XS-S1960-H series alter the DSCP value of packets
whose bandwidth exceeds the limit but keeps the CoS value unchanged. When QoS is applied to the
inbound direction, the XS-S1960-H series alter the DSCP value and CoS value of packets whose
bandwidth exceeds the limit.
5. The XS-S1960-H series alter the CoS value of packets whose bandwidth exceeds the limit, and modify
the DSCP value synchronously. After the none-tos option is set, the XS-S1960-H series do not modify
the DSCP value when altering the CoS value. When the DSCP value of packets matches a QoS policy,
the XS-S1960-H series neither alter the CoS value nor modify the DSCP value of MPLS packets.
6. The XS-S1960-H series do not support the none-tos option when CoS is configured.
7. On the XS-S1960-H series, bandwidth limit refers to the actual bandwidth, including the load of the
preamble and interframe gap. The preamble and interframe gap carried in each packet occupy 20
bytes.
8. The XS-S1960-H series support the minimum rate limit of 64 kbps for egresses and ingresses.
9. For the second parameter (burst traffic) in the QoS rate-limit policy, if the parameter value is small, the
actual rate may be excessively small upon burst traffic. If the parameter value is large, the actual rate
may be excessively large. Users can use the following recommended configurations based on actual
situation:
(1) If the configured rate limit is less than 1,024 kbps, the recommended burst-size value is 1,024
KBytes.
(2) If the configured rate limit is 10,240 kbps, it is recommended to set the burst-size value to be same
as the rate limit or use the maximum value (the allowable burst-size value of products may be less than
10,240 KBytes).
(3) If the configured rate limit is greater than 10,240 kbps, it is recommended to set the burst-size value
Configuration Guide Specifications and Limitations
Bandwidth Supported
Packet Type Packet Priority
(pps) or Not
7 1500
Default bandwidth of CPU ports: 4500
NFPP Default values of the network foundation protection policy (NFPP) of the XS-S1960-H series:
Function Sub-option Rate Limit Attach Threshold
per-src-ip 30 200
per-src-mac 30 200
arp-guard per-port 256 400
scan-per-mac 100 N/A
scan-per-ip-mac 100 N/A
per-src-ip 400 600
icmp-guard
per-port 500 800
per-src-ip 20 200
ip-guard per-port 100 400
scan-per-ip 100 N/A
per-src-mac 5 10
dhcp-guard
per-port 300 512
per-mac 5 10
dhcpv6-guard
per-port 300 512
nd-guard ns-na per-port 100 200
rs per-port 50 100
ra-redirect per-port 50 100
Maximum number of NFPP users: 10,000
ACL 1. On the XS-S1960-H series, the ACL applied to the inbound direction does not support the Layer-4 port
"NEQ" matching for TCP and UDP packets, and the ACL applied in the outbound direction supports
only the Layer-4 port "EQ" matching for TCP and UDP packets.
2. On the XS-S1960-H series, IPv6 ACLs support matching by the following fields: Protocol, sip, l4_src,
dip, l4_dst, dscp, and flow_label. An IPv6 ACL supports matching only based on the following two field
groups:
1) Protocol, sip, l4_src, l4_dst, dscp, flow_label, range
2) Protocol, dip, l4_src, l4_dst, dscp, flow_label, range
3) An ACL cannot use all the fields for matching. In addition, IPv6 ACLs do not support matching by
fragment matching and do not support matching by flow_label in the outbound direction.
4) When high-order 64 bits (the mask length is smaller than or equal to 64) need to be matched for
the source IP address and destination IP address, matching based on the IPv6 5-tuple is
supported.
3. On the XS-S1960-H series, security ACLs applied to an SVI are effective to both intra-VLAN packets
forwarded by bridges and inter-VLAN routed packets. As a result, users in the VLAN cannot perform
communication.
4. The XS-S1960-H series cannot identify the fragment flag field in the IPv6 packets. If an IPv6 ACL
contains the fragment flag, the fragment flag is ignored in packet matching. This is equivalent to
Configuration Guide Specifications and Limitations
absence of the fragment flag in ACLs, and matching is performed on all packets, including the
first-fragment packets and non-first-fragment packets.
5. The XS-S1960-H series support the switching between fragment packet matching modes only in IP
extended ACLs and expert extended ACLs.
6. On the XS-S1960-H series, ACL80 supports only the following common fields: destination MAC
address, source MAC address, VID, ETYPE, IP protocol number, source IPv4 address, destination IPv4
address, destination port ID, source port ID, ICMP type, and ICMP code.
7. The XS-S1960-H series do not support the reflective ACL function.
DoS 1. The XS-S1960-H series consider the following types of TCP packets invalid:
(1) TCP packets with both the SYN flag and FIN flag set
(2) TCP packets without any flag
(3) TCP packets with the FIN flag set but the ACK flag not set
(4) TCP packets with the SYN flag set and the source port ID ranging from 0 to 1023
2. When the function of defending against invalid TCP packet attacks is enabled, the XS-S1960-H series
can filter out all of the Type 1 and Type 4 invalid TCP packets, the Type 2 invalid TCP packets without
any flag and the sequence number being 0, and the Type 3 invalid TCP packets with the FIN flag, URG
flag, and PSH flag set and the sequence number being 0.
802.1X 1. The XS-S1960-H series do not support wireless Dot1x relevant functions, including the Remote
Intelligent Perception Technology (RIPT) and wireless MAC address bypass (MAB) authentication,
Remote Authentication Dial In User Service (RADIUS) server escape function, 802.1x used only for
encryption when both 802.1x authentication and Web authentication are configured, system logs of
online and offline rates of 802.1x authenticated users, notification of SNMP traps when 802.1x
authenticated users go online/off, traffic check, and charging started after STA information is obtained.
3. The XS-S1960-H series do not support the binding between static IP addresses and MAC addresses.
4. The XS-S1960-H series do not support authentication initiated after IP addresses of MAB users are
obtained.
2. XS-S1960-10GT2SFP-P-H: When the main board temperature is higher than 61°C or the chip
temperature is higher than 100°C, the system indicator is in yellow and a device high temperature alarm
is reported. When the main board temperature is higher than 66°C or the chip temperature is higher
than 110°C, the system indicator is in red and a device high temperature alarm is reported. When the
main board temperature is higher than 74°C or the chip temperature is higher than 115°C, the device
automatically restarts.
5. XS-S1960-24GT4SFP-UP-H: The show fan speed command is used to obtain the speed level. The
speed level options are as follows: 0: stop; 1: low speed; 2: high speed.
6. XS-S1960-10GT2SFP-P-H: It adopts the fan-free design and does not support fan monitoring.
VSU
1. The XS-S1960-10GT2SFP-P-H do not support VSUs.
2. At least one 1000M SFP port must be specified as a member port of a VSL for each device.
3. VSL member ports of two devices are connected via the SFP+ module and copper cables.
5. A maximum of four VSL member ports can be configured on each XS-S1960-H series device.
6. VSL APs and VSP AP auto-negotiation do not need to be configured when VSL ports are configured.
2. The output of the show poe powersupply command varies with products:
The XS-S1960-H series are box-type devices and each of them has only one card. The information
output by this command is different from that of CA products in format. For the
XS-S1960-24GT4SFP-UP-H series, the show poe powersupply command does not show the slot
PSE information.
3. The XS-S1960-H series are box-type devices, each of them has only one card, and the following slot
PSE configuration commands are unavailable for them:
1) Command for enabling slot PSE: poe enable pse [device device_num] slot slot_num;
2) Command for setting the slot PSE power: poe max-power max-power pse [device device_num]
slot slot_num
3) Command for setting the slot PSE priority: poe priority { critical | high | low } pse [device
device_num] slot slot_num
4. Different syslogs are generated when the PoE port is powered on/off:
When the XS-S1960-24GT4SFP-UP-H is powered on/off, "Interface xx link state changed to down with
PoE being xx" is displayed.
The XS-S1960-10GT2SFP-P-H does not output this log.
5. The XS-S1960-10GT2SFP-P-H support the one-click PoE information collection function:
Users can run CLI commands, press and hold @@@@+F, or press Reset to trigger this function.
6. The default power management mode varies with products:
The default PoE power management mode of XS-S1960-24GT4SFP-UP-H is the energy conservation
mode.
7. The output of the poe max-power command is different for the 60 W and 90 W HPoE products:
The 60 W and 90 W HPoE products use different PoE chips and support different maximum port
powers. The maximum port power that can be configured is 60 W for 60 W HPoE products and 95 W for
90 W HPoE products.
IGMP 1. The output of the ip igmp snooping max-groups command varies with products:
Snooping The XS-S1960-10GT2SFP-P-H and XS-S1960-24GT4SFP-UP-H are box-type devices, their overall
memories are limited, and an interface can join a maximum of 2048 multicast groups.
2. The output of the show ip igmp snooping statistics command varies with products:
The XS-S1960-10GT2SFP-P-H and XS-S1960-24GT4SFP-UP-H are box-type devices, their overall
memories are limited, and the maximum number of entries is 2048. The show ip igmp snooping
statistics command shows that the maximum number of entries is 2048.
NTP Ruijie products of the current version support authentication keys with a maximum of 1024 bits. A unique key
can be set for each server for secure communication.
OpenFlow Ruijie products of the current version support multiple controllers, and a maximum of three SDN controllers
can be connected.